fix(rbac): Add rights on applicationsets for the application controller (#20352)

Signed-off-by: OpenGuidou <guillaume.doussin@gmail.com>
2026-02-20 01:28:45 +01:00 · 2025-02-06 18:10:11 +01:00
parent 4dcabb933e
commit d1574c204f
12 changed files with 15 additions and 0 deletions
--- a/docs/operator-manual/installation.md
+++ b/docs/operator-manual/installation.md
@@ -31,6 +31,10 @@ Not recommended for production use. This type of installation is typically used
  Argo CD instances for different teams, where each instance will be deploying applications to
  external clusters. It will still be possible to deploy to the same cluster (kubernetes.svc.default)
  with inputted credentials (i.e. `argocd cluster add <CONTEXT> --in-cluster --namespace <YOUR NAMESPACE>`).
+  With the default roles included, you will only be able to deploy Argo CD resources (Applications, ApplicationSets
+  and AppProjects)  in the same cluster, as it's only supporting the GitOps mode with real deployments being
+  done to external clusters.
+  You can modify that by defining new roles and binding them to the `argocd-application-controller` service account.

  > Note: Argo CD CRDs are not included into [namespace-install.yaml](https://github.com/argoproj/argo-cd/blob/master/manifests/namespace-install.yaml).
  > and have to be installed separately. The CRD manifests are located in the [manifests/crds](https://github.com/argoproj/argo-cd/blob/master/manifests/crds) directory.
--- a/manifests/base/application-controller-roles/argocd-application-controller-role.yaml
+++ b/manifests/base/application-controller-roles/argocd-application-controller-role.yaml
@@ -20,6 +20,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/core-install-with-hydrator.yaml
+++ b/manifests/core-install-with-hydrator.yaml
@@ -23626,6 +23626,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -23617,6 +23617,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/ha/install-with-hydrator.yaml
+++ b/manifests/ha/install-with-hydrator.yaml
@@ -23664,6 +23664,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -23655,6 +23655,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/ha/namespace-install-with-hydrator.yaml
+++ b/manifests/ha/namespace-install-with-hydrator.yaml
@@ -104,6 +104,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -95,6 +95,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/install-with-hydrator.yaml
+++ b/manifests/install-with-hydrator.yaml
@@ -23653,6 +23653,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -23644,6 +23644,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/namespace-install-with-hydrator.yaml
+++ b/manifests/namespace-install-with-hydrator.yaml
@@ -93,6 +93,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -84,6 +84,7 @@ rules:
  - argoproj.io
  resources:
  - applications
+  - applicationsets
  - appprojects
  verbs:
  - create