Allow ClusterRole and ClusterRoleBinding in cluster-resources AppProject#22
Conversation
|
@hypesystem I'm attaching our overrides/alloy/values.yaml and overrides/prometheus-stack/templates/openwebui-audit-dashboard.yaml. We call the |
Maybe I'm missing something obvious, but can you help me understand how these files relate to the PR? Adding the entries in the PR to the But you're not adding any resources to that application. So I'm confused about what exactly is driving this need. Do you need to create some concrete ClusterRole{,Binding}s to make Alloy work as you want? What exactly are those changes that you'd like to make? Generally it's good practice to have ArgoCD projects be as constrained in resource type as possible to avoid accidental creation, hence the current setting. But of course we can loosen the requirements if there's a concrete driver! I'm just not sure what it is here? |
That is a fair question. There is a concrete driver behind this request. In our setup, we needed Alloy to collect Open WebUI pod stdout logs. To support that, we created The issue we ran into was that Argo CD could not manage those resources cleanly under So the purpose of this PR is to enable clean Argo-managed handling of those cluster-scoped RBAC resources, rather than relying on local workarounds. That said, your point is valid: this PR only changes the AppProject permissions and does not include the actual RBAC manifests that motivated the request. I am happy to adjust course depending on what you would prefer:
My intention is not to loosen the project unnecessarily, only to support Alloy/Open WebUI log collection use case. |
|
@felipesdacosta Is there a particular reason you want I think they would more naturally belong next to the relevant user agent, in this case in the alloy project which uses them? We would be open to a PR that enables alloy to collect logs from all pods in the cluster, if that's something you want to look at. Otherwise we'll get around to it at some point, it's on our roadmap. |
@hypesystem That makes sense. The concrete need came from the Alloy override I added for collecting Open WebUI stdout audit logs. In particular, Alloy uses However, I agree that the current PR is incomplete as a standalone change. Right now it only allows I’ll close this PR for now rather than keep a broad allowlist change open without the concrete RBAC manifests included. If we still want this upstream, I can come back with a smaller and more complete PR that includes the actual Alloy/Open WebUI RBAC manifests together with the AppProject allowlist change, so the reason for allowing |
|
@felipesdacosta Let me know if you plan to make a PR that enables log aggregation from all pods. It would be very welcome, and if you have plans to contribute it, I don't want to step on your toes 😄 |
3 participants
Summary
This PR extends the
cluster-resourcesArgo CD AppProject to allow cluster-scoped RBAC resources.Closes #21
Changes
rbac.authorization.k8s.io/ClusterRoletospec.clusterResourceWhitelistrbac.authorization.k8s.io/ClusterRoleBindingtospec.clusterResourceWhitelistCHANGELOG.mdWhy
The current
cluster-resourcesAppProject only allowsStorageClassas a cluster-scoped resource.This prevents clean Argo-managed deployment of cluster-scoped RBAC resources needed for shared platform components such as Alloy log collection.
Without this change, local workarounds lead to:
SharedResourceWarningonAppProject/cluster-resourcesSyncErrorfor forbidden RBAC resources in thecluster-resourcesprojectExpected outcome
With this change,
cluster-resourcescan manage:StorageClassClusterRoleClusterRoleBindingThis enables a clean Argo-managed approach for shared cluster-scoped RBAC resources.