Argo CD Service Account Permissions

⏱️ Estimated Time: 3 Minutes

👨‍💻 Role: Cluster Administrator

Instead of carefully crafting a ClusterRole and ClusterRoleBinding to allow Argo CD to manage cluster-scoped resources, you’ll save time in this workshop by simply granting the cluster-admin role to the Argo CD Service Account.

The cluster-admin role is part of the default cluster roles included in OpenShift. Assigning the cluster-admin role to a user or Service Account provides it with super-user privileges.

Grant Cluster-Admin Permissions to Argo CD’s Service Account

  1. Login to the OpenShift Web Console.

  2. Open the Web Terminal using the >_ icon in the top-right corner of the OpenShift Web Console.

  3. Use the OpenShift CLI to bind the cluster-admin role to the Argo CD Service Account by executing the following command:

    oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller

  4. Return to the Argo CD dashboard, and select the managed-namespaces Application.

  5. Manually trigger a sync by clicking the Sync button, accepting the default parameters, and clicking the Synchronise button.

The Application will report Healthy and Synced status. This is because the Argo CD Service Account was able to synchronise all the resources this time, thanks to having cluster-admin privileges.

The adm subcommand provided by the OpenShift (oc) CLI is a utility that provides useful commands for OpenShift administrators. You can read more about it in the OpenShift CLI administrator command reference.
ex4.argocd sync success

Verify Argo CD Synchronised Cluster-Scoped Resources

Argo CD should’ve synchronised the ResourceQuota resources now that the appropriate Service Account permissions are in place. You can verify this via the following steps:

  1. Login to the OpenShift Web Console.

  2. Open the Web Terminal using the >_ icon in the top-right corner of the OpenShift Web Console.

  3. Run the following command to view the applied ResourceQuota for the project-memes-prod Namespace. The output should include a Quota section that has values that correspond to your patched ResourceQuota:

    oc describe project project-memes-prod
    ex4.applied quotas

  4. Do the same for the project-memes-dev. This should show a Quota with the values defined in the base ResourceQuota:

    oc describe project project-memes-dev

If the ResourceQuota is not reflected in the output, verify the sync status of the managed-namespaces in the Argo CD dashboard.