argo-workflows: Error while SSO Delegation" error="no service account rule matches"
Hi,
I’ve followed the docs for SSO RBAC namespace delegation https://argoproj.github.io/argo-workflows/argo-server-sso/#sso-rbac-namespace-delegation and getting an error as below -
Error while SSO Delegation" error="no service account rule matches"
- argo v3.3.5
- emissary executor v3.3.5
- Cluster-install
- Cluster roles and cluster role bindings
Currently, we have 3 service accounts - read-only (default), argo-admin and external-team read-only (default)
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-read-only
namespace: argo
annotations:
workflows.argoproj.io/rbac-rule: "true"
workflows.argoproj.io/rbac-rule-precedence: "0"
argo-admin
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-admin
namespace: argo
annotations:
workflows.argoproj.io/rbac-rule: "'admin' in groups"
workflows.argoproj.io/rbac-rule-precedence: "1"
external-team namespace - external-team
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-team
namespace: external-team
annotations:
workflows.argoproj.io/rbac-rule: "'external-team' in groups"
workflows.argoproj.io/rbac-rule-precedence: "1"
- Updated the above changes with all the required cluster roles and cluster role bindings were added
- I’m (Sandeep) part of admin group and able to submit all worklfows
Argo server logs on argocd
time="2022-07-11T19:15:36.044Z" level=info msg="Error while SSO Delegation" error="no service account rule matches"
time="2022-07-11T19:15:36.044Z" level=info msg="selected SSO RBAC service account for user" email=Sandeep@example.com loginServiceAccount=argo-admin serviceAccount=argo-admin ssoDelegated=false ssoDelegationAllowed=true subject=xxxxxxx.................................
time="2022-07-11T19:18:39.367Z" level=info msg="Alloc=12697 TotalAlloc=661075 Sys=69073 NumGC=145 Goroutines=102"
time="2022-07-11T19:23:39.367Z" level=info msg="Alloc=11727 TotalAlloc=662318 Sys=69073 NumGC=147 Goroutines=102"
time="2022-07-11T19:28:39.367Z" level=info msg="Alloc=11448 TotalAlloc=663600 Sys=69073 NumGC=150 Goroutines=102"
Cluster role binded for default service account argo-admin
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argo-server-cluster-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- apiGroups:
- ""
resources:
- pods
- pods/exec
- pods/log
verbs:
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- watch
- create
- patch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- eventsources
- sensors
- workflows
- workfloweventbindings
- workflowtemplates
- cronworkflows
- clusterworkflowtemplates
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
In the above service accounts, the rbac-rule-precedence is having same value for two service accounts - is it causing the issue ? or something else ?
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 2
- Comments: 19 (13 by maintainers)
Yeah you’re right 😁 I’ll need to reconfigure my setup and test it out. I’ll let you know how it goes. https://github.com/argoproj/argo-workflows/blob/master/docs/argo-server-sso.md#recommended-usage
@seif-raafat That’s good news - I’ve contacted my Azure AD team to see if enterprise application should have groups registered with it. Hope i will have some good news.
Answering to your question -
loginServiceAccount
is the account you used to log into your argo server -user-default-login
is in your caseserviceAccount
is the delegated service account in the namespace where you requested (basically the namespace other than where argo is installed)I have updated the service accounts to be deployed to each namespace and can confirm that it works. Rule matches are done correctly. One thing that is confusing to me is the log entry has
loginServiceAccount
referencing the default account in the installation namespace whileserviceAccount
correctly points to the namespace service account. See below:I’m also not able to authenticate with other service accounts. It only works with one service account, which happens to match the first group in the list. See error: