Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing permission in ArgoRollout cluster role #3672

Closed
2 tasks done
Ahmed-Elkollaly opened this issue Jun 26, 2024 · 0 comments · Fixed by #3675
Closed
2 tasks done

Missing permission in ArgoRollout cluster role #3672

Ahmed-Elkollaly opened this issue Jun 26, 2024 · 0 comments · Fixed by #3675
Labels
bug Something isn't working

Comments

@Ahmed-Elkollaly
Copy link

Ahmed-Elkollaly commented Jun 26, 2024

Checklist:

  • I've included steps to reproduce the bug.
  • I've included the version of argo rollouts.

Describe the bug
I can't use the recent feature scaleDown, used in migration to Argo rollout, due to missing permission in cluster role in the argo-rollout v1.7.1

  workloadRef:                                 # Reference an existing Deployment using workloadRef field
    apiVersion: apps/v1
    kind: Deployment
    name: rollout-ref-deployment
    scaleDown: onsuccess

The error from argo-rollout controller pod

time="2024-06-25T12:38:07Z" level=error msg="deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"dev\"

To Reproduce
Steps to reproduce the issue

  1. Apply deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: rollout-canary
  name: rollout-ref-deployment
spec:
  replicas: 1                              
  selector:
    matchLabels:
      app: rollout-ref-deployment
  template:
    metadata:
      labels:
        app: rollout-ref-deployment
    spec:
      containers:
        - name: rollouts-demo
          image: argoproj/rollouts-demo:blue
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
  1. Apply Rollout
apiVersion: argoproj.io/v1alpha1               # Create a rollout resource
kind: Rollout
metadata:
  name: rollout-ref-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: rollout-ref-deployment
  workloadRef:                                 # Reference an existing Deployment using workloadRef field
    apiVersion: apps/v1
    kind: Deployment
    name: rollout-ref-deployment
    scaleDown: onsuccess
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: {duration: 10s}
  1. check argo-rollout controller pod logs
    time="2024-06-25T12:38:07Z" level=error msg="deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"dev\"

Expected behavior
use the recent feature scaleDown in argorollout v1.7.x without any access issue

Screenshots

Version

v1.7.1

Logs

time="2024-06-26T06:33:25Z" level=error msg="rollout syncHandler error: deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\"" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:25Z" level=info msg="rollout syncHandler queue retries: 55 : key \"default/rollout-ref-deployment\"" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="Started syncing rollout" generation=1 namespace=default resourceVersion=493762 rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="No TrafficRouting Reconcilers found" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="No StableRS exists to reconcile or matches newRS" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="No Steps remain in the canary steps" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="Scaling deployment rollout-ref-deployment to 0 replicas" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=warning msg="Failed to update deployment rollout-ref-deployment: deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\"" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=error msg="roCtx.reconcile err deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\"" generation=1 namespace=default resourceVersion=493762 rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="Reconciliation completed" generation=1 namespace=default resourceVersion=493762 rollout=rollout-ref-deployment time_ms=13.497874999999999
time="2024-06-26T06:33:35Z" level=error msg="rollout syncHandler error: deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\"" namespace=default rollout=rollout-ref-deployment
time="2024-06-26T06:33:35Z" level=info msg="rollout syncHandler queue retries: 56 : key \"default/rollout-ref-deployment\"" namespace=default rollout=rollout-ref-deployment

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.

@Ahmed-Elkollaly Ahmed-Elkollaly added the bug Something isn't working label Jun 26, 2024
zachaller pushed a commit that referenced this issue Jun 27, 2024
…Fixes #3672 (#3675)

fix: add update verb to ClusterRole permissions for scaleDown

Signed-off-by: EnriqueTejeda <[email protected]>
zachaller pushed a commit that referenced this issue Aug 13, 2024
…Fixes #3672 (#3675)

fix: add update verb to ClusterRole permissions for scaleDown

Signed-off-by: EnriqueTejeda <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
1 participant