Your app deployment is failed when using ArgoCD sync with forbidden error messages
Environment
- Red Hat OpenShift Service on AWS
- OpenShift Container Platform
- 4.10.x
- Red Hat OpenShift GitOps
- 1.6.0
Issue
- You want to deploy your app using the ArgoCD sync to your namespaces separately.
- You can see the following similar error messages.
one or more objects failed to apply,
reason: services is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller" cannot create resource "services" in API group "" in the namespace "YOUR_NAMESPACE_NAME",deployments.apps is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller" cannot create resource "deployments" in API group "apps" in the namespace "YOUR_NAMESPACE_NAME"
Resolution
- Configure the target namespace with a argocd.argoproj.io/managed-by label to deploy your app in the namespace.
- Refer Deploying resources to a different namespace for more details.
// You can check your ArgoCD instance name using "oc get argocd" in your namespace running the argocd workload set.
$ oc label namespace <YOUR_NAMESPACE_NAME> \
argocd.argoproj.io/managed-by=<YOUR_ARGOCD_INSTANCE_NAME>
Root Cause
- To allow Argo CD to manage resources in other namespaces apart from where it is installed, you should configure the target namespace with a argocd.argoproj.io/managed-by label in advance.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments