Summary
The cluster-resources Argo CD AppProject currently only allows StorageClass as a cluster-scoped resource.
This prevents clean Argo-managed deployment of cluster-scoped RBAC resources such as:
rbac.authorization.k8s.io/ClusterRolerbac.authorization.k8s.io/ClusterRoleBinding
Background
We needed cluster-scoped RBAC for Alloy to support log collection related to Open WebUI pod logs.
A local workaround was attempted by overriding the cluster-resources AppProject and adding RBAC manifests in local overrides, but that approach was not reliable because the live AppProject/cluster-resources remained owned by the vendor application.
This resulted in Argo CD issues such as:
SharedResourceWarning on AppProject/cluster-resourcesSyncError for RBAC resources not permitted in project cluster-resources
The local workaround has now been removed to restore a cleaner Argo CD state.
Current configuration
The live cluster-resources AppProject currently allows only:
clusterResourceWhitelist:
- group: storage.k8s.io
kind: StorageClassProposed change
Please extend vendor/applications/argo-cd-resources/templates/projects/cluster-resources.yaml so that spec.clusterResourceWhitelist includes:
- group: storage.k8s.io
kind: StorageClass
- group: rbac.authorization.k8s.io
kind: ClusterRole
- group: rbac.authorization.k8s.io
kind: ClusterRoleBinding
Why this helps
This allows cluster-level shared resources to include the RBAC objects needed for components like Alloy, without requiring local AppProject overrides or causing Argo CD ownership conflicts.
Expected outcome
With this change, cluster-resources can cleanly manage:
- StorageClass
- ClusterRole
- ClusterRoleBinding
This enables a cleaner Argo-managed implementation for shared cluster-scoped RBAC resources.
Summary
The
cluster-resourcesArgo CD AppProject currently only allowsStorageClassas a cluster-scoped resource.This prevents clean Argo-managed deployment of cluster-scoped RBAC resources such as:
rbac.authorization.k8s.io/ClusterRolerbac.authorization.k8s.io/ClusterRoleBindingBackground
We needed cluster-scoped RBAC for Alloy to support log collection related to Open WebUI pod logs.
A local workaround was attempted by overriding the
cluster-resourcesAppProject and adding RBAC manifests in local overrides, but that approach was not reliable because the liveAppProject/cluster-resourcesremained owned by the vendor application.This resulted in Argo CD issues such as:
SharedResourceWarningonAppProject/cluster-resourcesSyncErrorfor RBAC resources not permitted in projectcluster-resourcesThe local workaround has now been removed to restore a cleaner Argo CD state.
Current configuration
The live
cluster-resourcesAppProject currently allows only:Proposed change
Please extend vendor/applications/argo-cd-resources/templates/projects/cluster-resources.yaml so that spec.clusterResourceWhitelist includes:
Why this helps
This allows cluster-level shared resources to include the RBAC objects needed for components like Alloy, without requiring local AppProject overrides or causing Argo CD ownership conflicts.
Expected outcome
With this change, cluster-resources can cleanly manage:
This enables a cleaner Argo-managed implementation for shared cluster-scoped RBAC resources.