kubectl apply -k and kubectl kustomize have different behavior or how I spent evening on patching ClusterRole

Posted on by Ivan

I wanted to enable web terminal in argocd, sounds easy, right?
You just need to add exec.enabled: “true” in config map and add

apiGroups: [ "" ]
resources: [ "pods/exec" ]
verbs: [ "create" ]

in rules: []

I thought the same. And actually it’s easy. So, how I spent evening on it?

Initially argocd was deployed by using argocd-autopilot. Autopilot didn’t aligned well with what was needed and was decommissioned, the only remain of it left is how argocd installed – with kustomize. I still don’t know what stopped me from using helm. The patch looks simple:

patches:
  - target:
      group: rbac.authorization.k8s.io
      version: v1
      kind: ClusterRole
      name: argocd-server
    patch: |
      - op: add
        path: /rules/-
        value:
          apiGroups: [ "" ]
          resources: [ "pods/exec" ]
          verbs: [ "create" ]
resources:
  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.14.11/manifests/install.yaml

But whatever I tried the new element of ClusterRole rules was evading my.
It took several hours to realize that  kubectl apply -k /path/to/argocd –dry-run I was using to test the change produces different results in comparison to kubectl kustomize /path/to/argocd
And it took another hour until I gave up and decided to test patch with argocd.

I don’t know what is the cause and why it is like that, probably it’s by design, but mine naive expectation is that kubectl apply -k should produce the same results.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>