GitOps operator installed with incorrect permissions (unable to create resources) about gitops-operator HOT 8 CLOSED

Any update on this? I am facing a similar issue in a fresh 4.8 with gitops 1.2.

from gitops-operator.

There still seems to be an actual bug here (the permission for creating Events in the argocd namespace itself).

from gitops-operator.

Hello,

I see two different issues here,

1. application controller is only able to deploy applications in its namespace.

deployments.apps is forbidden: User
"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller"
cannot create resource "deployments" in API group "apps" in the
namespace "oai-demo"

2. application controller cannot create audit events in the same namespace.

time="2021-05-05T12:15:09Z" level=error msg="Unable to create audit
event: events is forbidden: User
\"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller\"
cannot create resource \"events\" in API group \"\" in the namespace
\"openshift-gitops\"" application=oai-demo-webserver
dest-namespace=openshift-gitops
dest-server="https://kubernetes.default.svc" reason=OperationCompleted
type=Warning

• Point no.1 is tracked as part of #146

• Point no.2 is addressed in v1.2.0 of gitops-operator. To let argocd deploy resources into a different namespace, A user needs to label the namespace as documented below.
  https://github.com/redhat-developer/gitops-operator/blob/master/docs/OpenShift%20GitOps%20Usage%20Guide.md#deploy-resources-to-a-different-namespace

from gitops-operator.

An admin needs to explicit grant permission to argocd application controller in the oai-demo namespace. Otherwise, argocd can automatically gain access to all namespaces.

oc adm policy add-role-to-user admin system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller -n oai-demo

from gitops-operator.

I confirmed that adding a rolebinding for the service-account "openshift-gitops-argocd-application-controller" allows to create resources (I'm using v1.1.1), but I couldn't find that anywhere documented, if anyone can please point me there.

On the same note, I can create and delete the application from the GitOps operator console, but if I want to delete only a resource, like a pod I get an error like this:

Unable to delete resource: pods "<pod-name>" is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-server" cannot delete resource pods in API group "" in the namespace "<namespace-name>"

Which can be easily solved by granting privileges to the "openshift-gitops-argocd-server" service account on that namespace, but again I haven't found a doc reference to know what accounts to grant access. If I need to create a separate issue for clarifications on this, just please let me know.

from gitops-operator.

I've created a new bug for the event behaviour described above.

Bug: #146

from gitops-operator.

Adding openshift-gitops:openshift-gitops-argocd-application-controller as cluster admin solves the issues for me. I dont want to manually grant permissions for each namespace.

oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller -n openshift-gitops

from gitops-operator.

@larsks , Please take a look at my previous comment and let me know if this issue can be closed ?

from gitops-operator.