kube-system:argocd-manager on Target cluster is failing with not having enough permissions to list the resources

[Josephred999]

The service account (kube-system:argocd-manager) thats gets created (on the target cluster) when adding a K8s Cluster in Argo dont have enough permissions on the target cluster when pulling the resources

I can modify the service account to give cluster admin role binding but doesnt the ArgoCD should have added the necessary permissions to pull the needed resources?

error synchronizing cache state : failed to sync cluster https://k8s.cluster:8443: failed to load initial state of resource RoleBinding.rbac.authorization.k8s.io: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kube-system:argocd-manager" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope  

error synchronizing cache state : failed to sync cluster https://k8s.cluster:8443: failed to load initial state of resource RestoreJob.powerprotect.dell.com: restorejobs.powerprotect.dell.com is forbidden: User "system:serviceaccount:kube-system:argocd-manager" cannot list resource "restorejobs" in API group "powerprotect.dell.com" at the cluster scope 

So we had to manually add needed cluster level permissions to this service account to list the resources to work.

[jgwest]

@Josephred999 It's tough to get more permissive than * https://github.com/argoproj/argo-cd/blob/bb1c1ed44d3c802329c5437f3904852dc3ea98de/util/clusterauth/clusterauth.go#L30

[fabianboerner]

this is still an issue right, im running into that after a fresh install