Sample ArgoCD: List requests fail due resourceName in the RBAC rule

[m1kola]

I'm seeing the following logs from operator-controller-controller-manager after applying config/samples/olm_v1alpha1_clusterextension.yaml.

W0830 08:35:24.701403       1 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:argocd:argocd-installer" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
E0830 08:35:24.702206       1 reflector.go:158] "Unhandled Error" err="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: Failed to watch apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:argocd:argocd-installer\" cannot list resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" logger="UnhandledError"

Looking at the manifest I see the following:

operator-controller/config/samples/olm_v1alpha1_clusterextension.yaml

Lines 37 to 48 in 04ee036

	- apiGroups: [apiextensions.k8s.io]
	resources: [customresourcedefinitions]
	verbs: [create]
	- apiGroups: [apiextensions.k8s.io]
	resources: [customresourcedefinitions]
	verbs: [get, list, watch, update, patch, delete]
	resourceNames:
	- appprojects.argoproj.io
	- argocds.argoproj.io
	- applications.argoproj.io
	- argocdexports.argoproj.io
	- applicationsets.argoproj.io

Note that we allow list here, but we also restrict by resourceNames.

Here is what the documentation says:

You cannot restrict create or deletecollection requests by their resource name. For create, this limitation is because the name of the new object may not be known at authorization time. If you restrict list or watch by resourceName, clients must include a metadata.name field selector in their list or watch request that matches the specified resourceName in order to be authorized. For example, kubectl get configmaps --field-selector=metadata.name=my-configmap

[m1kola]

Easy fix is to get rid of resourceNames, but then we allow access to all CRDs. If we want to maintain resourceNames then the client (helm?) needs to be aware of the resource names somehow.

[joelanford]

I believe this will be fixed by #1119

[joelanford]

If we want to maintain resourceNames then the client (helm?) needs to be aware of the resource names somehow.

In order for creates to work with a resourceName, we need helm to use an apply patch rather than a create call. I don't think there is a way to get around the global list and watch permissions though. The boundaries for list and watch permissions are either:

• the entire cluster
• a namespace (but only for namespace-scoped objects)

[m1kola]

Closing as a duplicate of #1195