Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgoCD Notifications Controller - Permission issue #16022

Open
3 tasks done
anjuls opened this issue Oct 18, 2023 · 8 comments
Open
3 tasks done

ArgoCD Notifications Controller - Permission issue #16022

anjuls opened this issue Oct 18, 2023 · 8 comments
Labels
bug Something isn't working version:EOL Latest confirmed affected version has reached EOL

Comments

@anjuls
Copy link

anjuls commented Oct 18, 2023

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

I am trying to use argocd notifications to send the slack notifications. But I see a frequent error in notifications pod.

argocd-notifications-controller-646c65dbb-99grj argocd-notifications-controller E1018 18:00:21.234089       7 reflector.go:140] pkg/mod/k8s.io/client-go@v0.26.4/tools/cache/reflector.go:169: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: failed to list applications: applications.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-notifications-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope
^C

To Reproduce

Current version I have.

INFO[0000] ArgoCD Notifications Controller is starting   built="2023-10-18T15:17:56Z" commit=9e0e8d5e8a055ccc93b0bfbedcfa2eee91aaf5d3 namespace=argocd version=v2.9.0+9e0e8d5

Expected behavior

There should not be any error and notification should be sent on Slack.

Screenshots

Version

argocd version
argocd: v2.9.0+9e0e8d5
  BuildDate: 2023-10-18T15:17:56Z
  GitCommit: 9e0e8d5e8a055ccc93b0bfbedcfa2eee91aaf5d3
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
@anjuls anjuls added the bug Something isn't working label Oct 18, 2023
@anjuls
Copy link
Author

anjuls commented Oct 18, 2023

solved by creating clusterrole and clusterrolebinding.
https://github.com/argoproj/argo-cd/pull/15702/files

@anjuls anjuls closed this as completed Oct 18, 2023
@motoki317
Copy link

motoki317 commented Oct 29, 2023

I have also encountered into this after upgrading from v2.8.4 to v2.8.5, since /manifests/install.yaml doesn't include the necessary ClusterRole and ClusterRoleBinding which are now required by the notifications-controller.
I think these roles should have been included in the all-in-one install yaml files in #15702.

@crenshaw-dev crenshaw-dev reopened this Oct 29, 2023
@enys
Copy link

enys commented Oct 30, 2023

Confirming this also happens via https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd with the upgrade to Helm release argo-cd to v5.48.0

@mayzhang2000
Copy link
Contributor

This should have been fixed by https://github.com/argoproj/argo-cd/pull/16057/files.

@davidmendezph
Copy link

davidmendezph commented Oct 30, 2023

Updated yesterday with helm chart directly from the main branch and still same issue.

time="2023-10-30T22:20:27Z" level=info msg="ArgoCD Notifications Controller is starting" built="2023-10-27T23:36:30Z" commit=85025e1dcb683b192ea3599de0b0a196d64c94a7 namespace=argocd version=v2.8.5+85025e1

Edit: Using argo-helm version not manifest.

Fixed by argoproj/argo-helm#2315

@motoki317
Copy link

motoki317 commented Oct 30, 2023

This should have been fixed by https://github.com/argoproj/argo-cd/pull/16057/files.

I think technically yes, #16057 fixes the notifications controller by listing Application resources in its installed namespace when application-namespaces is not configured (the default behavior).
But it would be convenient to include the ClusterRole in cluster-wide installation script in case user wants to use Applications in any namespace by configuring application-namespaces, after installing with install.yaml.
That's what I did in #16153. argoproj/argo-helm#2315 is a similar fix but for the helm chart.

edit: I got it, this part states that users need to apply extra manifests if they want to use Applications in any namespace, but I think that's easy to miss.

@crenshaw-dev
Copy link
Member

@davidmendezph the fix has been merged but still needs to be released. It'll be in 2.8.6. I'm working through some CI issues, but should get that cut today.

@motoki317 let's stick with adding the cluster role as an opt-in for now. If you'd like to update the docs to be more clear, that would be appreciated!

@andrii-korotkov-verkada
Copy link
Contributor

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and let us know if the issue is still present, please?

@andrii-korotkov-verkada andrii-korotkov-verkada added the version:EOL Latest confirmed affected version has reached EOL label Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working version:EOL Latest confirmed affected version has reached EOL
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants