ArgoCD namespace install and deploy to the same cluster broken

[r0bj]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug ArgoCD is installed as a namespace install (https://github.com/argoproj/argo-cd/tree/release-2.4/manifests). After adding local cluster with inputted credentials, deploy to the same cluster is broken. It seems that argocd doesn't have sufficient credentials to do it. Error message is generated (and similar for any resource):

User "system:serviceaccount:argocd-infra:argocd-application-controller" cannot list resource "persistentvolumes" in API group "" at the cluster scope

To Reproduce

1. Create kind cluster

   $ kind create cluster

2. Create namespace for argocd pods:

   $ kubectl create ns argocd-infra

3. Install namespaced argocd (from https://github.com/argoproj/argo-cd/tree/release-2.4/manifests)

   $ kubectl -n argocd-infra apply -k https://github.com/argoproj/argo-cd/manifests/crds?ref=release-2.4
   $ kubectl -n argocd-infra apply -k https://github.com/argoproj/argo-cd/manifests/namespace-install?ref=release-2.4

4. Login to cluster with argocd CLI

   $ export ARGOCD_OPTS='--port-forward --port-forward-namespace=argocd-infra'
   $ argocd login

5. Create application namespace

   $ kubectl create ns dev

6. Add local cluster with inputted credentials

   $ argocd cluster add kind-kind --in-cluster --namespace dev
   WARNING: This will create a service account `argocd-manager` on the cluster referenced by context `kind-kind` with full namespace level privileges. Do you want to continue [y/N]? y
   INFO[0005] ServiceAccount "argocd-manager" created in namespace "kube-system"
   INFO[0005] Role "dev/argocd-manager-role" created
   INFO[0005] RoleBinding "dev/argocd-manager-role-binding" created
   INFO[0010] Created bearer token secret for ServiceAccount "argocd-manager"
   Cluster 'https://kubernetes.default.svc' added

7. List clusters

   $ argocd cluster list
   SERVER                                         NAME       VERSION  STATUS   MESSAGE                                                  PROJECT
   https://kubernetes.default.svc (1 namespaces)  kind-kind           Unknown  Cluster has no applications and is not being monitored.

8. Add ArgoCD application

   
   guestbook.yaml:
   apiVersion: argoproj.io/v1alpha1
   kind: Application
   metadata:
   name: guestbook
   namespace: argocd-infra
   spec:
   project: default
   source:
   repoURL: https://github.com/argoproj/argocd-example-apps.git
   targetRevision: HEAD
   path: guestbook
   destination:
   name: kind-kind
   namespace: dev

$ kubectl apply -f guestbook.yaml

9. Check application status

$ argocd app get guestbook Name: guestbook Project: default Server: kind-kind Namespace: dev URL: https://127.0.0.1:60324/applications/guestbook Repo: https://github.com/argoproj/argocd-example-apps.git Target: HEAD Path: guestbook SyncWindow: Sync Allowed Sync Policy: Sync Status: Unknown Health Status: Healthy

CONDITION MESSAGE LAST TRANSITION ComparisonError failed to sync cluster https://10.96.0.1:443: failed to load initial state of resource NetworkPolicy.networking.k8s.io: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:argocd-infra:argocd-application-controller" cannot list resource "networkpolicies" in API group "networking.k8s.io" in the namespace "dev" 2022-09-14 15:26:19 -0700 PDT ComparisonError failed to sync cluster https://10.96.0.1:443: failed to load initial state of resource NetworkPolicy.networking.k8s.io: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:argocd-infra:argocd-application-controller" cannot list resource "networkpolicies" in API group "networking.k8s.io" in the namespace "dev" 2022-09-14 15:26:19 -0700 PDT UnknownError failed to sync cluster https://10.96.0.1:443: failed to load initial state of resource NetworkPolicy.networking.k8s.io: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:argocd-infra:argocd-application-controller" cannot list resource "networkpolicies" in API group "networking.k8s.io" in the namespace "dev" 2022-09-14 15:26:19 -0700 PDT

Note: argocd doesn't have sufficient credentials despite successfully added local cluster with inputted credentials (Role and RoleBinding created in the namespace).

ArgoCD namespace install works fine with external clusters.

**Expected behavior**
After adding local cluster with inputted credentials to ArgoCD (namespace install), deploy to the same cluster works as expected.

**Version**

```shell
argocd: v2.4.11+3d9e9f2.dirty
  BuildDate: 2022-08-22T12:47:26Z
  GitCommit: 3d9e9f2f95b7801b90377ecfc4073e5f0f07205b
  GitTreeState: dirty
  GoVersion: go1.19
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.4.11+3d9e9f2
  BuildDate: 2022-08-22T09:13:10Z
  GitCommit: 3d9e9f2f95b7801b90377ecfc4073e5f0f07205b
  GitTreeState: clean
  GoVersion: go1.18.5
  Compiler: gc
  Platform: linux/arm64
  Kustomize Version: v4.4.1 2021-11-11T23:36:27Z
  Helm Version: v3.8.1+g5cb9af4
  Kubectl Version: v0.23.1
  Jsonnet Version: v0.18.0```

[matt328]

INFO[0005] ServiceAccount "argocd-manager" created in namespace "kube-system"

Do these accounts need to be created in the kube-system namespace? I'm currently trying to configure a namespaced installation where I don't have permissions to add to the kube-system namespace?