argo-workflows: Error while SSO Delegation" error="no service account rule matches"

Hi,

I’ve followed the docs for SSO RBAC namespace delegation https://argoproj.github.io/argo-workflows/argo-server-sso/#sso-rbac-namespace-delegation and getting an error as below - Error while SSO Delegation" error="no service account rule matches"

  • argo v3.3.5
  • emissary executor v3.3.5
  • Cluster-install
  • Cluster roles and cluster role bindings

Currently, we have 3 service accounts - read-only (default), argo-admin and external-team read-only (default)

apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-read-only
  namespace: argo
  annotations:
    workflows.argoproj.io/rbac-rule: "true"
    workflows.argoproj.io/rbac-rule-precedence: "0"

argo-admin

apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-admin
  namespace: argo
  annotations:
    workflows.argoproj.io/rbac-rule: "'admin' in groups"
    workflows.argoproj.io/rbac-rule-precedence: "1"

external-team namespace - external-team

apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-team
  namespace: external-team
  annotations:
    workflows.argoproj.io/rbac-rule: "'external-team' in groups"
    workflows.argoproj.io/rbac-rule-precedence: "1"

  • Updated the above changes with all the required cluster roles and cluster role bindings were added
  • I’m (Sandeep) part of admin group and able to submit all worklfows

Argo server logs on argocd

time="2022-07-11T19:15:36.044Z" level=info msg="Error while SSO Delegation" error="no service account rule matches"
time="2022-07-11T19:15:36.044Z" level=info msg="selected SSO RBAC service account for user" email=Sandeep@example.com loginServiceAccount=argo-admin serviceAccount=argo-admin ssoDelegated=false ssoDelegationAllowed=true subject=xxxxxxx.................................
time="2022-07-11T19:18:39.367Z" level=info msg="Alloc=12697 TotalAlloc=661075 Sys=69073 NumGC=145 Goroutines=102"
time="2022-07-11T19:23:39.367Z" level=info msg="Alloc=11727 TotalAlloc=662318 Sys=69073 NumGC=147 Goroutines=102"
time="2022-07-11T19:28:39.367Z" level=info msg="Alloc=11448 TotalAlloc=663600 Sys=69073 NumGC=150 Goroutines=102"

Cluster role binded for default service account argo-admin

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argo-server-cluster-role
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - create
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
      - pods/log
    verbs:
      - get
      - list
      - watch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - watch
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - eventsources
      - sensors
      - workflows
      - workfloweventbindings
      - workflowtemplates
      - cronworkflows
      - clusterworkflowtemplates
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete

In the above service accounts, the rbac-rule-precedence is having same value for two service accounts - is it causing the issue ? or something else ?


Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 19 (13 by maintainers)

Most upvoted comments

Yeah you’re right 😁 I’ll need to reconfigure my setup and test it out. I’ll let you know how it goes. https://github.com/argoproj/argo-workflows/blob/master/docs/argo-server-sso.md#recommended-usage

@seif-raafat That’s good news - I’ve contacted my Azure AD team to see if enterprise application should have groups registered with it. Hope i will have some good news.

Answering to your question -

One thing that is confusing to me is the log entry has loginServiceAccount referencing the default account in the installation namespace while serviceAccount correctly points to the namespace service account. See below:

I have updated the service accounts to be deployed to each namespace and can confirm that it works. Rule matches are done correctly. One thing that is confusing to me is the log entry has loginServiceAccount referencing the default account in the installation namespace while serviceAccount correctly points to the namespace service account. See below:

time="2022-07-14T16:15:13.843Z" level=info msg="selected SSO RBAC service account for user" email=seif-raafat@example.com loginServiceAccount=user-default-login serviceAccount=my-namespace-admin ssoDelegated=true ssoDelegationAllowed=true subject=xxxxxxx.................................

I’m also not able to authenticate with other service accounts. It only works with one service account, which happens to match the first group in the list. See error:

time="2022-07-13T20:34:41.051Z" level=info msg="Error while SSO Delegation" error="no service account rule matches"