gitops-operator icon indicating copy to clipboard operation
gitops-operator copied to clipboard

Published 20 hours ago verified publisher icon redhat-developer

ApplicationController unable to create Events with default install: Unable to create audit event: events is forbidden

Open jgwest opened this issue 4 years ago • 7 comments

Describe the bug

The ApplicationController is unable to create events, due to missing RBAC rules.

The following is printed in the ApplicationController pod log:

Unable to create audit event: events is forbidden: User \"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller\" cannot create resource \"events\" in API group \"\" in the namespace \"openshift-gitops\"" application=guestbook dest-namespace=openshift-gitops dest-

To Reproduce

  1. Get a fresh OpenShift cluster
  2. Install GitOps Operator 1.1.2 from OperatorHub
  3. Login to the cluster from the CLI, with oc/kubectl
  4. Kubectl apply this:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: openshift-gitops
spec:
  destination:
    server: https://kubernetes.default.svc
    namespace: openshift-gitops
  project: default
  source:
    path: guestbook
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: HEAD
  1. Check the controller logs: kubectl logs pod/openshift-gitops-application-controller-0

You will see: time="2021-06-28T20:46:15Z" level=error msg="Unable to create audit event: events is forbidden: User \"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller\" cannot create resource \"events\" in API group \"\" in the namespace \"openshift-gitops\"" application=guestbook dest-namespace=openshift-gitops dest-server="https://kubernetes.default.svc" reason=ResourceUpdated type=Normal

Additional context

This was originally reported on May 5th on this bug https://github.com/redhat-developer/gitops-operator/issues/116, but I have pulled out the behaviour here as the rest of the behaviour in that bug is likely expected behaviour.

Reproduced on 1.1.2 installed from OperatorHub , and AFAICT reproducible on latest.

jgwest avatar Jun 28 '21 22:06 jgwest

Hey @jgwest do you mind if I took a crack at this?

jaideepr97 avatar Jun 30 '21 11:06 jaideepr97

@jaideepr97 :+1:

jgwest avatar Jul 01 '21 14:07 jgwest

Hm, this meta should create this, no? https://github.com/redhat-developer/gitops-operator/blob/bf50491b5abf0f014a2a51112b98aad72e65e38e/controllers/gitopsservice_controller.go#L128

davidkarlsen avatar Sep 10 '21 11:09 davidkarlsen

Hi @jaideepr97 , Any update on this one ?

iam-veeramalla avatar Mar 16 '22 11:03 iam-veeramalla

@iam-veeramalla AFAIR I was not able to reproduce this bug

jaideepr97 avatar Mar 16 '22 12:03 jaideepr97

@iam-veeramalla AFAIR I was not able to reproduce this bug

one of the users reported this issue on our CoreOs slack channel today.

iam-veeramalla avatar Mar 16 '22 12:03 iam-veeramalla

@jaideepr97 is this obsolete ? fixed in latest ?

Let me know if you want me to create a JIRA for tracking ?

iam-veeramalla avatar May 13 '22 11:05 iam-veeramalla