Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Michał Frąckiewicz
    @SystemZ

    Hi, anyone installed ArgoCD on OVH k8s?
    I'm getting something like this when syncing using default install:

    ComparisonError: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-application-controller" cannot list appprojects.argoproj.io at the cluster scope;ComparisonError: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-application-controller" cannot list appprojects.argoproj.io at the cluster scope

    Not sure if my fault, bug in argo or it's this offer related.
    This issue is similar: argoproj/argo-cd#2176

    Christian
    @zeeZ
    @SystemZ it's just missing permissions, so whatever default install you did didn't come with the right rbac
    Michał Frąckiewicz
    @SystemZ
    ok, thanks for info, I will need additional or modified ClusterRoleBinding, right ?
    Christian
    @zeeZ
    I'm looking at the v1.2.0 non-ha release on github, looks like there is a argocd-application-controller clusterrole and CRB that should contain anything
    I've seen this two files, I think I need to modify it, no idea how :(
    Christian
    @zeeZ
    Michał Frąckiewicz
    @SystemZ
    I already have that, however those scary wildcard permissions didn't work
    Christian
    @zeeZ
    good :D normally that's a paddling
    you want apiGroups argoproj.io, resources appprojects and verbs list, and then repeat for everything else it'll complain about
    Michał Frąckiewicz
    @SystemZ
    oh, so wildcard is denying access ?
    I just need to whitelist what it's using ?
    Christian
    @zeeZ
    no, wildcard is anything, so that file gives permission to pretty much everything
    Michał Frąckiewicz
    @SystemZ
    ok so if it have access to everything and it's like chmod 777, why it's still complaining :P
    Christian
    @zeeZ
    well the ServiceAccount seems to be there since it's being used, it's either the ClusterRoleBinding or the ClusterRole that's missing (or missing that specific permission)
    Michał Frąckiewicz
    @SystemZ
    ok so I'm adding those groups, it changes errors, hope I will finish typing them today :D
    Christian
    @zeeZ
    I wonder if there's a code analysis tool that can try to extract all required permissions from standard API usage in go source, but that's probably a bit complicated
    Michał Frąckiewicz
    @SystemZ
    is there a reason that * won't just work ?

    ehh, it's not working, items at this list doesn't stop errors, they appear again, it's just illusion that they are gone, it's in random order

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      labels:
        app.kubernetes.io/name: argocd-application-controller
        app.kubernetes.io/part-of: argocd
        app.kubernetes.io/component: application-controller
      name: argocd-application-controller
    rules:
    - apiGroups:
      - "bgpconfigurations.crd.projectcalico.org"
      - "appprojects.argoproj.io"
      - "applications.argoproj.io"
      - "ippools.crd.projectcalico.org"
      - "storageclasses.storage.k8s.io"
      - "persistentvolumeclaims"
      - "mutatingwebhookconfigurations.admissionregistration.k8s.io"
      - "certificatesigningrequests.certificates.k8s.io"
      - "statefulsets.apps"
      - "deployments.extensions"
      - "priorityclasses.scheduling.k8s.io"
      - "podsecuritypolicies.policy"
      - "namespaces"
      - "replicasets.extensions"
      - "felixconfigurations.crd.projectcalico.org"
      - "controllerrevisions.apps"
      resources:
      - '*'
      verbs:
      - '*'
    - nonResourceURLs:
      - '*'
      verbs:
      - '*'

    I think I'm doing something very wrong and I don't even know it

    Christian
    @zeeZ
    appprojects is a resource in the group argoproj.io
    Michał Frąckiewicz
    @SystemZ
    oh
    Christian
    @zeeZ
    move before dot into resources and everything after as apigroups and hope for the best, or if you want to do it "properly" you'd do one rules entry per api group
    Christian
    @zeeZ
    why those wildcards are not working I don't know, maybe someone more knowledgeable would
    Michał Frąckiewicz
    @SystemZ
    still no dice, listing it like this doesn't help either :/
    rules:
      - apiGroups:
          - ""
        resources:
          - namespaces
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - persistentvolumeclaims
        verbs:
          - get
      - apiGroups:
          - apps
        resources:
          - statefulsets
        verbs:
          - list
      - apiGroups:
          - argoproj.io
        resources:
          - appprojects
        verbs:
          - list
    i hoped that k8s can save me time, not something like this
    Christian
    @zeeZ
    If that's not working at all and the bindings are correct then I dunno, did you edit and forgot to apply again?
    Michał Frąckiewicz
    @SystemZ
    I'm applying, dirs, filenames, double checked
    maybe there is some other project that would help be apply changes made in git ?
    or I just should use standard CI gitlabci/jenkins and drop this idea entirely?

    last chance, I see in docs
    https://argoproj.github.io/argo-cd/getting_started/

    On GKE, you will need grant your account the ability to create new cluster roles:
    kubectl create clusterrolebinding YOURNAME-cluster-admin-binding --clusterrole=cluster-admin --user=YOUREMAIL@gmail.com

    maybe something similar is needed for OVH too ?

    Amine
    @A-Hilaly
    If a GitOps operator is what you're looking for you can take a look at "flux"
    weaveworks got some great tools arround GitOps also
    Michał Frąckiewicz
    @SystemZ
    I'll look into it but I'm wondering if that same issue applies to this project too :/
    @zeeZ had some long yamls for that
    Christian
    @zeeZ
    To an extent, yes. When I created that they had full access rbac rules as well
    It is weird that your rules don't work though
    Michał Frąckiewicz
    @SystemZ
    yea, it's strange, I'm already discussing this on argo Slack
    Pavel Tatarskiy
    @vintikzzz
    Hi, I've tried to upgrade to next minor 1.14
    and get stuck again
    Pavel Tatarskiy
    @vintikzzz
    dashboard shows that everything ok
    image.png
    But i can't connect to it
    Pavels-iMac:frontend vintikzzzz$ kubectl top no
    Error from server (ServiceUnavailable): the server is currently unable to handle the request (get nodes.metrics.k8s.io)
    Pavel Tatarskiy
    @vintikzzz
    is it time to reset cluster?
    arduinopepe
    @arduinopepe
    Hi guys
    I'm tryng to delete a namespace but is still in hang state
    jenkins Terminating 5d22h
    is there any issu on k8s services ?
    Thomas Coudert
    @thcdrt
    Hello @vintikzzz , cheking with you in private