gitops-operator
gitops-operator copied to clipboard
redhat-developer
Default Deployment ArgoCD - cannot create Projects/Applications - permissions denied
Describe the bug I created an ROKS Cluster on IBM TechZone, installed the GitOps Operator and created an instance with all default values in a new namespace "example". After accessing the UI over the provided route, I tried to create a new Project over the UI.
This failed with the following error message:
Unable to create project: permission denied: projects, create, login, sub: CiQ2MzQ2NzRiYy0zOWM2LTRlYTItYjdlNi1jNTEzMzA2OWIzOTESCW9wZW5zaGlmdA, iat: 2022-04-07T13:13:46Z
Creating the Application over the oc command line works, but is not successfull. No recourses got created and the UI shows nothing.
The same happen's if I try to create an application in the default project. I'm fairly confused what I could have done wrong, since I used an default Openshift Cluster, the default GitOps Operator and the default ArgoCD Instance.
To Reproduce Steps to reproduce the behavior:
- Create a ROKS Cluster on Techzone (Openshift Version 4.9.21_1528)
- Install the Red Hat OpenShift GitOps 1.4.5 Operator
- Create a new Project / Namespace
- Create a new ArgoCD in the new Namespace over the Operator UI
- Open the ArgoCD UI per Openshift Route in the same namespace
- Login with Openshift Credentials
- try to create a project in argo CD
Additional context
Below you'll find the default values yaml from the argocd instance
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
creationTimestamp: '2022-04-07T13:12:26Z'
finalizers:
- argoproj.io/finalizer
generation: 2
managedFields:
- apiVersion: argoproj.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
'f:spec':
.: {}
'f:controller':
.: {}
'f:resources':
.: {}
'f:limits': {}
'f:requests':
.: {}
'f:cpu': {}
'f:dex':
.: {}
'f:openShiftOAuth': {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:ha':
.: {}
'f:enabled': {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:rbac':
.: {}
'f:defaultPolicy': {}
'f:policy': {}
'f:scopes': {}
'f:redis':
.: {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:repo':
.: {}
'f:resources':
.: {}
'f:limits': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:server':
.: {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:route':
.: {}
'f:enabled': {}
manager: Mozilla
operation: Update
time: '2022-04-07T13:12:26Z'
- apiVersion: argoproj.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:finalizers':
.: {}
'v:"argoproj.io/finalizer"': {}
'f:spec':
'f:controller':
'f:processors': {}
'f:resources':
'f:limits':
'f:cpu': {}
'f:memory': {}
'f:requests':
'f:memory': {}
'f:sharding': {}
'f:grafana':
.: {}
'f:enabled': {}
'f:ingress':
.: {}
'f:enabled': {}
'f:route':
.: {}
'f:enabled': {}
'f:initialSSHKnownHosts': {}
'f:prometheus':
.: {}
'f:enabled': {}
'f:ingress':
.: {}
'f:enabled': {}
'f:route':
.: {}
'f:enabled': {}
'f:repo':
'f:resources':
'f:limits':
'f:cpu': {}
'f:memory': {}
'f:server':
'f:autoscale':
.: {}
'f:enabled': {}
'f:grpc':
.: {}
'f:ingress':
.: {}
'f:enabled': {}
'f:ingress':
.: {}
'f:enabled': {}
'f:service':
.: {}
'f:type': {}
'f:tls':
.: {}
'f:ca': {}
manager: manager
operation: Update
time: '2022-04-07T13:12:26Z'
- apiVersion: argoproj.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
'f:status':
.: {}
'f:applicationController': {}
'f:dex': {}
'f:phase': {}
'f:redis': {}
'f:repo': {}
'f:server': {}
'f:ssoConfig': {}
manager: manager
operation: Update
subresource: status
time: '2022-04-07T13:12:27Z'
name: argocd
namespace: login-example
resourceVersion: '3135983'
uid: 0e1d4c08-9202-4ae6-8af5-18074fbe4e3d
spec:
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
service:
type: ''
grafana:
enabled: false
ingress:
enabled: false
route:
enabled: false
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
initialSSHKnownHosts: {}
rbac:
defaultPolicy: ''
policy: |
g, system:cluster-admins, role:admin
scopes: '[groups]'
repo:
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
ha:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
tls:
ca: {}
redis:
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
controller:
processors: {}
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: 250m
memory: 1Gi
sharding: {}
status:
applicationController: Running
dex: Running
phase: Available
redis: Running
repo: Running
server: Running
ssoConfig: Success
By default, only the system:cluster-admins OpenShift group is mapped to Argo CD's admin role. You most likely have to create a specific RBAC policy rule in Argo CD to map your SSO group to Argo CD admin (or another group, which has permissions to create projects or other resources).
In case you are using SSO w/ dex for ArgoCD, make sure you have the right policy for configmap "argocd-rbac-cm"
policy.csv: |
p, role:argo-admin, clusters, create, *, allow
p, role:argo-admin, clusters, update, *, allow
p, role:argo-admin, clusters, delete, *, allow
or you can have the below for super admins
policy.csv: |
p, role:argo-admin, clusters, *, *, allow
