Some resources' live manifests can't be viewed in the UI since server cluster role lacks list permission

[andrii-korotkov-verkada]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

Some resources' live manifests would show that resource not found, despite it's there in the cluster. For example

apiVersion: karpenter.sh/v1beta1
kind: NodePool

I've validated that adding list permission to the server via

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - delete
  - get
  - list
  - patch

works, whereas existing one looks like

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - delete
  - get
  - patch

So apparently get is not enough.

To Reproduce

Create resources

apiVersion: karpenter.sh/v1beta1
kind: NodePool

and try to view their live manifest in the UI

Expected behavior

Live manifest is viewable in the UI

Screenshots

After the update

Version

A custom build from master + #18694 around the time of v2.12.0-rc1 release.

Logs

[agaudreault]

Does this happen to all resources or only Nodepool? Are you able to find the reason why it is requiring List? I cannot find a reference in the code using list. Maybe it is something caused by the new Kubernetes version?

argo-cd/server/application/application.go

Line 1360 in 33d8eb0

obj, err := s.kubectl.GetResource(ctx, config, res.GroupKindVersion(), res.Name, res.Namespace)

[andrii-korotkov-verkada]

I can't tell for sure, since the error message is shown like resource not found, which also can happen due to stale UI. I don't yet know why it requires list for NodePool.