GitOps operator installed with incorrect permissions (unable to create resources)

[larsks]

Describe the bug

I've installed the GitOps Operator onto a new, uncustomized install of OpenShift 4.7(.5). I'm trying to deploy a simple webserver consisting of:

• A Namespace
• A Deployment
• A Configmap
• A Service
• A Route

The GitOps operator is able to create to create the Namespace and
the ConfigMap, but is unable to create the remaining resources due
to permission problems. E.g:

• deployments.apps is forbidden: User
  "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller"
  cannot create resource "deployments" in API group "apps" in the
  namespace "oai-demo"
  

• routes.route.openshift.io is forbidden: User
  "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller"
  cannot create resource "routes" in API group "route.openshift.io" in
  the namespace "oai-demo"
  

Additionally, in the log for the application controller pod, I also
see:

time="2021-05-05T12:15:09Z" level=error msg="Unable to create audit
event: events is forbidden: User
\"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller\"
cannot create resource \"events\" in API group \"\" in the namespace
\"openshift-gitops\"" application=oai-demo-webserver
dest-namespace=openshift-gitops
dest-server="https://kubernetes.default.svc" reason=OperationCompleted
type=Warning

It looks as if there are a number of permissions not configured
correctly out of the box.

Expected behavior

I expect the GitOps operator to successfully deploy an application.

[wtam2018]

An admin needs to explicit grant permission to argocd application controller in the oai-demo namespace. Otherwise, argocd can automatically gain access to all namespaces.

oc adm policy add-role-to-user admin system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller -n oai-demo

[larsks]

There still seems to be an actual bug here (the permission for creating Events in the argocd namespace itself).

[manurodriguez]

I confirmed that adding a rolebinding for the service-account "openshift-gitops-argocd-application-controller" allows to create resources (I'm using v1.1.1), but I couldn't find that anywhere documented, if anyone can please point me there.

On the same note, I can create and delete the application from the GitOps operator console, but if I want to delete only a resource, like a pod I get an error like this:

Unable to delete resource: pods "<pod-name>" is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-server" cannot delete resource pods in API group "" in the namespace "<namespace-name>"

Which can be easily solved by granting privileges to the "openshift-gitops-argocd-server" service account on that namespace, but again I haven't found a doc reference to know what accounts to grant access. If I need to create a separate issue for clarifications on this, just please let me know.

[jgwest]

I've created a new bug for the event behaviour described above.

Bug: #146

[rgordill]

Any update on this? I am facing a similar issue in a fresh 4.8 with gitops 1.2.

[gasgithub]

Adding openshift-gitops:openshift-gitops-argocd-application-controller as cluster admin solves the issues for me. I dont want to manually grant permissions for each namespace.

oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller -n openshift-gitops

[iam-veeramalla]

Hello,

I see two different issues here,

1. application controller is only able to deploy applications in its namespace.

deployments.apps is forbidden: User
"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller"
cannot create resource "deployments" in API group "apps" in the
namespace "oai-demo"

2. application controller cannot create audit events in the same namespace.

time="2021-05-05T12:15:09Z" level=error msg="Unable to create audit
event: events is forbidden: User
\"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller\"
cannot create resource \"events\" in API group \"\" in the namespace
\"openshift-gitops\"" application=oai-demo-webserver
dest-namespace=openshift-gitops
dest-server="https://kubernetes.default.svc" reason=OperationCompleted
type=Warning

• Point no.1 is tracked as part of ApplicationController unable to create Events with default install: Unable to create audit event: events is forbidden #146

• Point no.2 is addressed in v1.2.0 of gitops-operator. To let argocd deploy resources into a different namespace, A user needs to label the namespace as documented below.
  https://github.com/redhat-developer/gitops-operator/blob/master/docs/OpenShift%20GitOps%20Usage%20Guide.md#deploy-resources-to-a-different-namespace

[iam-veeramalla]

@larsks , Please take a look at my previous comment and let me know if this issue can be closed ?