search

zapier / kubechecks

Check your Kubernetes changes before they hit the cluster
https://kubechecks.readthedocs.io/en/latest/
Mozilla Public License 2.0
169 stars 15 forks source link

Diffing: RPC PermissionDenied #191

Open mar-ki opened 5 months ago

mar-ki commented 5 months ago

Using a docker image >= v1.5.3 I get following issue during the argo diff operation

10:28AM INF check result error="rpc error: code = PermissionDenied desc = permission denied" app=myapp app_name=myapp app_path=application/myapp/manifests check="generating diff for app" event_id=59 repo=kubechecks-test result=

The token used to connect to my argocd installation has admin permissions and the debug log doesn't provide any more info on that topic.

PS: Images older than v1.5.3 can run the diff but always detect "created" instead of "modified". For example when changing replica counts in plain manifests.

djeebus commented 5 months ago

Interesting! The "permission denied" should be resolved with #187 , and will be released shortly.

The second issue (modifications look like creations) is strange. does the "myapp" app exist in argocd already, and is functional? if it's in git but not yet in the cluster, that would explain why kubechecks thinks you're creating the resources. otherwise there's something else we need to track down here. anything interesting going on with that app?

mar-ki commented 5 months ago

I identified the root cause. We use the "Applications in any namespace" feature. A team could deploy an Argo Application in their namespace and then it get synced to argo. Documentation: app-any-namespace

This causes Kubechecks to always say that any modifications are "added" even when something is modified or deleted.

I started to move the applications into the argocd namespace and it's running fine now

Example - Not working (App Manifest in team ns)

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app3-manifests
  namespace: app3
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: app3
    server: https://kubernetes.default.svc
  project: team-apps
  source:
    repoURL: https://xyz.net/argo-bootstrap.git
    path: application/app3-manifest/manifests
  syncPolicy:
    automated:
      selfHeal: true

Example - Working (Application manifest in argocd ns)

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app3-manifests
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: app3
    server: https://kubernetes.default.svc
  project: team-apps
  source:
    repoURL: https://xyz.net/argo-bootstrap.git
    path: application/app3-manifest/manifests
  syncPolicy:
    automated:
      selfHeal: true
djeebus commented 5 months ago

Ah! ok, that makes sense. Let me see if there's a quick fix to that