RBAC in managed openshifts #15
Description
I've only tested this on ROKS (Managed OpenShift) in IBM cloud. ArgoCD 2.5.4 installed via Red HatOpenShift GitOps 1.7.0 Operator
When you install the OpenShift GitOps Operator, if on ROKS, whilst you can login to ArgoCD via the route or via the button in the app launcher and clicking the "Login via OpenShift" button on the right hand pane, you cannot create a new app in ArgoCD because the SSO account doesn't have admin rights. it isn't part of system:cluster-admins
Case 1:
the default ArgoCD RBAC contained in the the CM resource argocd-rbac-cm that is created when the instance is installed has RBAC such as this
rbac:
policy: |
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
However, the user account you are using is not part of system:cluster-admins, and in IBM cloud ROKS, cluster-admins does not exist.
to make this work in the In the case of the default installation of argoCD I created a new group called cluster-admins and placed my account in that group
Case 2
in a non default ArgoCD (one where the user instructs the Operator to create a new argoCD instance the default RBAC appears to be
rbac:
policy: |
g, system:cluster-admins, role:admin
scopes: '[groups]'
However, the user account you are using is not part of system:cluster-admins,
to make this work I changed the RBAC to look as follows
rbac:
policy: |
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
and then I ensured I have a. group created a called cluster-admins and have placed my account was placed in that group.