Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing permission in ArgoRollout cluster role #2795

Closed
Ahmed-Elkollaly opened this issue Jun 25, 2024 · 12 comments
Closed

Missing permission in ArgoRollout cluster role #2795

Ahmed-Elkollaly opened this issue Jun 25, 2024 · 12 comments
Labels
argo-rollouts awaiting-upstream Is waiting for a change upstream to be completed before it can be merged. bug Something isn't working

Comments

@Ahmed-Elkollaly
Copy link

Ahmed-Elkollaly commented Jun 25, 2024
edited
Loading

Describe the bug

I can't use the recent feature scaleDown, used in migration to Argo rollout, due to missing permission in clusterrole in the helm chart in argo-rollout v2.36.1 https://github.com/argoproj/argo-helm/blob/main/charts/argo-rollouts/templates/controller/clusterrole.yaml#L60

https://argo-rollouts.readthedocs.io/en/stable/migrating/

  workloadRef:                                 # Reference an existing Deployment using workloadRef field
    apiVersion: apps/v1
    kind: Deployment
    name: rollout-ref-deployment
    scaleDown: onsuccess

The error from argo-rollout controller pod
time="2024-06-25T12:38:07Z" level=error msg="deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"dev\"

Related helm chart

argo-rollouts

Helm chart version

2.36.1

To Reproduce

Steps to reproduce the issue

  1. Apply deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: rollout-canary
  name: rollout-ref-deployment
spec:
  replicas: 1                              
  selector:
    matchLabels:
      app: rollout-ref-deployment
  template:
    metadata:
      labels:
        app: rollout-ref-deployment
    spec:
      containers:
        - name: rollouts-demo
          image: argoproj/rollouts-demo:blue
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
  1. Apply Rollout
apiVersion: argoproj.io/v1alpha1               # Create a rollout resource
kind: Rollout
metadata:
  name: rollout-ref-deployment
spec:
  replicas: 5
  selector:
    matchLabels:
      app: rollout-ref-deployment
  workloadRef:                                 # Reference an existing Deployment using workloadRef field
    apiVersion: apps/v1
    kind: Deployment
    name: rollout-ref-deployment
    scaleDown: onsuccess
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: {duration: 10s}
  1. check argo-rollout controller pod logs
    time="2024-06-25T12:38:07Z" level=error msg="deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"dev\"

Expected behavior

use the recent feature scaleDown in argorollout v1.7.0 without any access issue

Screenshots

No response

Additional context

No response
@Ahmed-Elkollaly Ahmed-Elkollaly added the bug Something isn't working label Jun 25, 2024
@Ahmed-Elkollaly Ahmed-Elkollaly changed the title Missing permission in cluster role Missing permission in ArgoRollout cluster role Jun 25, 2024
@yu-croco
Copy link
Collaborator

Hi @Ahmed-Elkollaly , thank you for opening issue.
Since we follow upstream's manifest (in this case, here), can you also open an issue in upstream?
Once upstream releases new version, we also follow it.

@yu-croco yu-croco added argo-rollouts awaiting-upstream Is waiting for a change upstream to be completed before it can be merged. labels Jun 26, 2024
@Ahmed-Elkollaly
Copy link
Author

I opened an issue in the argo-rollout project. thank you

@yu-croco
Copy link
Collaborator

📝
upstream has been fixed in argoproj/argo-rollouts#3675 . We will follow the fix when the PR is delivered as a specific version.

@DrFaust92
Copy link
Contributor

Ill follow up on this and open a PR here now thats its merged upstream

@yu-croco
Copy link
Collaborator

yu-croco commented Jul 1, 2024

Hi @DrFaust92
FYI; Renovate in argo-helm will open PR when upstream releases new version, and we will check the diffs under manifest in upstream at the PR. :)
e.g.) #2794

@DrFaust92
Copy link
Contributor

yu-croco makes sense, but in this case it was a manifest only upstream change and doesnt require a binary release to add this.

@yu-croco
Copy link
Collaborator

yu-croco commented Jul 1, 2024

We only follow specific version of upstream, instead of main branch.
Upstream will release the manifest diff with other diffs, so we need to wait for next (or next next?) release of upstream.

@muma378 muma378 mentioned this issue Jul 9, 2024
Closed
6 tasks
@muma378
Copy link

muma378 commented Jul 9, 2024

Hi I had the same issue when use the scaledown feature. I found the feature was released in v1.7.1 and the image was updated in helm, so is it the right time to update the cluster role?
I opened a PR #2816, please feel free to close if it is not correct.

@yu-croco
Copy link
Collaborator

yu-croco commented Jul 9, 2024

Hi @muma378 ,
As I mentioned earlier, the point is upstresm's manifest.
There is no update permission in v1.7.1 (ref: v1.7.1's permission), so we are waiting for it.

@yu-croco yu-croco mentioned this issue Jul 13, 2024
Closed
@muma378
Copy link

muma378 commented Jul 14, 2024

Hi @muma378 , As I mentioned earlier, the point is upstresm's manifest. There is no update permission in v1.7.1 (ref: v1.7.1's permission), so we are waiting for it.

OK I got it, wo we are waiting for v1.7.2 to release. I thought it is the time to update cause I found the upstream's manifest was fixed in #2816.

@DrFaust92 DrFaust92 mentioned this issue Jul 14, 2024
Merged
6 tasks
@amorattab
Copy link

amorattab commented Jul 22, 2024
edited
Loading

@Ahmed-Elkollaly addtional RBAC rules can be added to the cluster role through providerRBAC.additionalRules.
Setting the following in the values.yaml file fixed the issue:

providerRBAC:
    additionalRules:
        - apiGroups: 
           - apps
        - resources:
           - deployments
        - verbs:
           - update

@yu-croco yu-croco mentioned this issue Jul 24, 2024
Closed
6 tasks
@yu-croco
Copy link
Collaborator

This issue is fixed in argo-rollouts v1.7.2 👍
#2880

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
argo-rollouts awaiting-upstream Is waiting for a change upstream to be completed before it can be merged. bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(argo-rollouts): missing permission in cluster role muma378/argo-helm
5 participants
@muma378 @Ahmed-Elkollaly @yu-croco @DrFaust92 @amorattab