ArgoCD can't sync application: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters"

Question

KinD Cluster with Calico, Tigera operator v3.26.0 ArgoCD - creating new application to sync prometheus-node-exporter

Application won't sync, can't delete applications. App conditions show 3x errors, all read:

error synchronizing cache state : failed to sync cluster https://10.96.0.1:443: failed to load initial state of resource BGPFilter.projectcalico.org: connection is unauthorized: bgpfilters.crd.projectcalico.org is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters" in API group "crd.projectcalico.org" at the cluster scope

Assistance on how to resolve this please! Thanks

Resolved by moving to latest release of Calico: 3.26.0 -> 3.26.1 — 800711, Jul 02 '23 at 09:04

score 0 · Answer 1 · answered Jul 06 '23 at 11:25

I've added the grant to bgpfilters in ClusterRole[calico-crds]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: calico-crds
rules:
- apiGroups:
  - crd.projectcalico.org
  resources:
  - globalnetworkpolicies
  - networkpolicies
  - caliconodestatuses
  - clusterinformations
  - hostendpoints
  - globalnetworksets
  - networksets
  - bgpconfigurations
  - bgppeers
  - bgpfilters
  - felixconfigurations
  - kubecontrollersconfigurations
  - ippools
  - ipreservations
  - ipamblocks
  - blockaffinities
  - ipamconfigs
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch

ArgoCD can't sync application: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters"

1 Answers1