-
Bug
-
Resolution: Done
-
Undefined
-
ACM 2.14.0
-
None
-
2
-
False
-
-
False
-
-
-
None
Description of problem:
Version-Release number of selected component (if applicable):
ACM - 2.14 GAed
ODF - 4.19.1-6, 4.20
OCP - 4.19.0-0.nightly-2025-08-10-045658
How reproducible: Yes, 100%
Steps to Reproduce:
- App set-based workload deployment is failing from the UI.
apiVersion: v1
items:
- apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
creationTimestamp: "2025-08-12T05:41:24Z"
generation: 1
name: app-busybox-rbd-1
namespace: openshift-gitops
resourceVersion: "1444171"
uid: fd333bdf-3fe0-4e6c-8aa5-523e3d3a8869
spec:
generators:
- clusterDecisionResource:
configMapRef: acm-placement
labelSelector:
matchLabels:
cluster.open-cluster-management.io/placement: app-busybox-rbd-1-placement
requeueAfterSeconds: 180
template:
metadata:
annotations:
apps.open-cluster-management.io/ocm-managed-cluster: '{{name}}'
apps.open-cluster-management.io/ocm-managed-cluster-app-namespace: openshift-gitops
argocd.argoproj.io/skip-reconcile: "true"
labels:
apps.open-cluster-management.io/pull-to-ocm-managed-cluster: "true"
velero.io/exclude-from-backup: "true"
name: app-busybox-rbd-1-{{name}}
spec:
destination:
namespace: app-busybox-rbd-1
server: '{{server}}'
project: default
sources:
- path: rdr/busybox/rbd/workloads/app-busybox-1
repoURL: https://github.com/red-hat-storage/ocs-workloads.git
targetRevision: less_workload_rbd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- PruneLast=true
status:
conditions:
- lastTransitionTime: "2025-08-12T05:41:24Z"
message: 'failed to get dynamic resources: placementdecisions.cluster.open-cluster-management.io
is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-applicationset-controller"
cannot list resource "placementdecisions" in API group "cluster.open-cluster-management.io"
in the namespace "openshift-gitops"'
reason: ApplicationGenerationFromParamsError
status: "True"
type: ErrorOccurred
- lastTransitionTime: "2025-08-12T05:41:24Z"
message: 'failed to get dynamic resources: placementdecisions.cluster.open-cluster-management.io
is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-applicationset-controller"
cannot list resource "placementdecisions" in API group "cluster.open-cluster-management.io"
in the namespace "openshift-gitops"'
reason: ErrorOccurred
status: "False"
type: ParametersGenerated
- lastTransitionTime: "2025-08-12T05:41:24Z"
message: 'failed to get dynamic resources: placementdecisions.cluster.open-cluster-management.io
is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-applicationset-controller"
cannot list resource "placementdecisions" in API group "cluster.open-cluster-management.io"
in the namespace "openshift-gitops"'
reason: ApplicationGenerationFromParamsError
status: "False"
type: ResourcesUpToDate
kind: List
metadata:
resourceVersion: ""
oc get placementdecisions app-busybox-rbd-1-placement-decision-1 -n openshift-gitops -o yaml apiVersion: cluster.open-cluster-management.io/v1beta1 kind: PlacementDecision metadata: creationTimestamp: "2025-08-12T05:41:24Z" generation: 1 labels: cluster.open-cluster-management.io/decision-group-index: "0" cluster.open-cluster-management.io/decision-group-name: "" cluster.open-cluster-management.io/placement: app-busybox-rbd-1-placement name: app-busybox-rbd-1-placement-decision-1 namespace: openshift-gitops ownerReferences: - apiVersion: cluster.open-cluster-management.io/v1beta1 blockOwnerDeletion: true controller: true kind: Placement name: app-busybox-rbd-1-placement uid: f4b9de2f-b7b9-45d2-8d89-10b4ca411e90 resourceVersion: "1444184" uid: c162cab0-0f38-4dab-85cd-fb14b8272c63 status: decisions: - clusterName: kmanohar-c2ibm reason: ""
gitops appset control manager pod logs
level=error msg="unable to generate applications: failed to get dynamic resources: placementdecisions.cluster.open-cluster-management.io is forbidden: User \"system:serviceaccount:openshift-gitops:openshift-gitops-applicationset-controller\" cannot list resource \"placementdecisions\" in API group \"cluster.open-cluster-management.io\" in the namespace \"openshift-gitops\"" applicationset=openshift-gitops/app-busybox-rbd-1 time="2025-08-12T06:33:46Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:33:46Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:33:46Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:16Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:34Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:35Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:39Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:39Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:39Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:39Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:43Z" level=info msg="Loading TLS configuration from secret openshift-gitops/argocd-server-tls" time="2025-08-12T06:34:55Z" level=info msg="Alloc=14759 TotalAlloc=211342 Sys=36693 NumGC=631 Goroutines=136" time="2025-08-12T06:35:24Z" level=info msg="Kind.Group/Version Reference" kind.apiVersion=placementdecisions.cluster.open-cluster-management.io/v1beta1 time="2025-08-12T06:35:24Z" level=info msg="selection type" listOptions.LabelSelector="cluster.open-cluster-management.io/placement=app-busybox-rbd-1-placement" time="2025-08-12T06:35:24Z" level=warning msg="resources were not found" GVK="cluster.open-cluster-management.io/v1b
Actual results:
Deployment is failing
Expected results:
Deployment should work fine
Workaround
oc apply this YAML to set the correct ServiceAccount name
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: openshift-gitops-applicationset-controller-placement
namespace: openshift-gitops
subjects:
- kind: ServiceAccount
name: openshift-gitops-applicationset-controller
namespace: openshift-gitops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openshift-gitops-applicationset-controller-placement
Additional info:
Have all the necessary operators installed.
Must gather will be pasted in the comment section.
- clones
-
-
- Closed
-
