Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify RBAC Configuration for ApplicationSets in Any Namespace #2919

Open
Skaronator opened this issue Sep 12, 2024 · 0 comments
Open

Simplify RBAC Configuration for ApplicationSets in Any Namespace #2919

Skaronator opened this issue Sep 12, 2024 · 0 comments
Labels
argo-cd enhancement

Comments

@Skaronator
Copy link

Is your feature request related to a problem?

I'm working on enabling both Applications and ApplicationSets in any namespace, which requires extensive configuration due to security constraints.

There’s one area in the Helm chart that could be simplified for this setup:

Currently, you need to set a configuration in configs.params to enable ApplicationSets in any namespace. However, after doing this, I encountered an RBAC permissions issue where the ApplicationSet controller lacks the correct permissions:

W0912 08:37:18.346201       7 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:ops:argocd-applicationset-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope
E0912 08:37:18.346268       7 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Application: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:ops:argocd-applicationset-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope

Upon reviewing the Helm chart code, I found that setting applicationSet.allowAnyNamespace to true is also required to grant the necessary RBAC permissions.

This dual configuration adds complexity to the setup process. Simplifying this within the Helm chart would be beneficial.

Related helm chart

argo-cd

Describe the solution you'd like

Once configs.params.applicationsetcontroller.namespaces is configured, the Helm chart should automatically provision the correct RBAC permissions. This would effectively set applicationSet.allowAnyNamespace to true without requiring additional manual configuration steps. This automation would simplify the setup process and reduce the risk of misconfiguration.

Describe alternatives you've considered

No response

Additional context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
argo-cd enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Skaronator @yu-croco