From c9b7b4f06a056c6ac7510c804a25f1756595cd98 Mon Sep 17 00:00:00 2001
From: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Date: Mon, 7 Apr 2025 11:36:06 +0100
Subject: [PATCH] fix: do not exclude APIService resources

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
---
 docs/operator-manual/upgrading/2.14-3.0.md    | 48 ++++++++++---------
 manifests/base/config/argocd-cm.yaml          |  4 --
 manifests/core-install-with-hydrator.yaml     |  4 --
 manifests/core-install.yaml                   |  4 --
 manifests/ha/install-with-hydrator.yaml       |  4 --
 manifests/ha/install.yaml                     |  4 --
 .../ha/namespace-install-with-hydrator.yaml   |  4 --
 manifests/ha/namespace-install.yaml           |  4 --
 manifests/install-with-hydrator.yaml          |  4 --
 manifests/install.yaml                        |  4 --
 .../namespace-install-with-hydrator.yaml      |  4 --
 manifests/namespace-install.yaml              |  4 --
 12 files changed, 26 insertions(+), 66 deletions(-)

diff --git a/docs/operator-manual/upgrading/2.14-3.0.md b/docs/operator-manual/upgrading/2.14-3.0.md
index 7d007857e228c..d583a16363117 100644
--- a/docs/operator-manual/upgrading/2.14-3.0.md
+++ b/docs/operator-manual/upgrading/2.14-3.0.md
@@ -35,25 +35,27 @@ Starting from 3.0, this flag is removed and the logs RBAC is enforced by default
 
 #### Detection
 
-Users who have `server.rbac.log.enforce.enable: "true"` in their `argocd-cm` ConfigMap, are unaffected by this change.   
+Users who have `server.rbac.log.enforce.enable: "true"` in their `argocd-cm` ConfigMap, are unaffected by this change.
 
-Users who have `policy.default: role:readonly` or `policy.default: role:admin` in their `argocd-rbac-cm` ConfigMap, are unaffected.   
+Users who have `policy.default: role:readonly` or `policy.default: role:admin` in their `argocd-rbac-cm` ConfigMap, are unaffected.
 
-Users who don't have a `policy.default` in their `argocd-rbac-cm` ConfigMap, and either have `server.rbac.log.enforce.enable` set to `false` or don't have this setting at all in their `argocd-cm` ConfigMap are affected and should perform the below remediation steps.   
+Users who don't have a `policy.default` in their `argocd-rbac-cm` ConfigMap, and either have `server.rbac.log.enforce.enable` set to `false` or don't have this setting at all in their `argocd-cm` ConfigMap are affected and should perform the below remediation steps.
 
-After the upgrade, it is recommended to remove the setting `server.rbac.log.enforce.enable` from `argocd-cm` ConfigMap, if it was there before the upgrade.  
+After the upgrade, it is recommended to remove the setting `server.rbac.log.enforce.enable` from `argocd-cm` ConfigMap, if it was there before the upgrade.
 
 #### Remediation
 
-##### Quick remediation (global change)     
-For users with an existing default policy with a custom role, add this policy to `policy.csv` for your custom role: `p, role:<YOUR_DEFAULT_ROLE>, logs, get, */*, allow`.   
-For users without a default policy, add this policy to `policy.csv`: `p, role:global-log-viewer, logs, get, */*, allow` and add the default policy for this role: `policy.default: role:global-log-viewer`   
+##### Quick remediation (global change)
+
+For users with an existing default policy with a custom role, add this policy to `policy.csv` for your custom role: `p, role:<YOUR_DEFAULT_ROLE>, logs, get, */*, allow`.
+For users without a default policy, add this policy to `policy.csv`: `p, role:global-log-viewer, logs, get, */*, allow` and add the default policy for this role: `policy.default: role:global-log-viewer`
 
 ##### Recommended remediation (per-policy change)
-Explicitly add a `logs, get` policy to every role that has a policy for `applications, get` or for `applications, *`.   
-This is the recommended way to maintain the principle of least privilege.       
-Similar to the way access to Applications are currently managed, access to logs can be either granted on a Project scope level (Project resource) or on the `argocd-rbac-cm` ConfigMap level.      
-See this [example](../upgrading/2.3-2.4.md#example-1) for more details.   
+
+Explicitly add a `logs, get` policy to every role that has a policy for `applications, get` or for `applications, *`.
+This is the recommended way to maintain the principle of least privilege.
+Similar to the way access to Applications are currently managed, access to logs can be either granted on a Project scope level (Project resource) or on the `argocd-rbac-cm` ConfigMap level.
+See this [example](../upgrading/2.3-2.4.md#example-1) for more details.
 
 ### Default `resource.exclusions` configurations
 
@@ -63,7 +65,7 @@ which we exclude for performance reasons, reducing connections and load to the K
 
 The excluded Kinds are:
 
-- **Kubernetes Resources**: `Endpoints`, `EndpointSlice`, `APIService`, `Lease`, `SelfSubjectReview`, `TokenReview`, `LocalSubjectAccessReview`, `SelfSubjectAccessReview`, `SelfSubjectRulesReview`, `SubjectAccessReview`, `CertificateSigningRequest`, `PolicyReport` and `ClusterPolicyReport`.
+- **Kubernetes Resources**: `Endpoints`, `EndpointSlice`, `Lease`, `SelfSubjectReview`, `TokenReview`, `LocalSubjectAccessReview`, `SelfSubjectAccessReview`, `SelfSubjectRulesReview`, `SubjectAccessReview`, `CertificateSigningRequest`, `PolicyReport` and `ClusterPolicyReport`.
 - **Cert Manager**: `CertificateRequest`.
 - **Kyverno**: `EphemeralReport`, `ClusterEphemeralReport`, `AdmissionReport`, `ClusterAdmissionReport`, `BackgroundScanReport`, `ClusterBackgroundScanReport` and `UpdateRequest`.
 - **Cilium**: `CiliumIdentity`, `CiliumEndpoint` and `CiliumEndpointSlice`.
@@ -216,26 +218,28 @@ spec:
         namespace: guestbook
 ```
 
-### Upgraded Helm version with breaking changes 
-Helm was upgraded to 3.17.1.   
-This may require changing your `values.yaml` files for subcharts, if the `values.yaml` contain a section with a `null` object.   
-See related issue in [Helm GitHub repository](https://github.com/helm/helm/issues/12469)   
-See Helm 3.17.1 [release notes](https://github.com/helm/helm/releases/tag/v3.17.1)   
-Example of such a [problem and resolution](https://github.com/argoproj/argo-cd/pull/22035/files)   
+### Upgraded Helm version with breaking changes
+
+Helm was upgraded to 3.17.1.
+This may require changing your `values.yaml` files for subcharts, if the `values.yaml` contain a section with a `null` object.
+See related issue in [Helm GitHub repository](https://github.com/helm/helm/issues/12469)
+See Helm 3.17.1 [release notes](https://github.com/helm/helm/releases/tag/v3.17.1)
+Example of such a [problem and resolution](https://github.com/argoproj/argo-cd/pull/22035/files)
 Explanation:
+
 - Prior to Helm 3.17.1, `null` object in `values.yaml` resulted in a warning: `cannot overwrite table with non table` upon performing `helm template`, and the resulting K8s object was not overridden with the invalid `null` value.
 - In Helm 3.17.1, this behavior changed and `null` object in `values.yaml` still results in this warning upon performing `helm template`, but the resulting K8s object will be overridden with the invalid `null` value.
-- To resolve the issue, identify `values.yaml` with `null` object values, and remove those `null` values.   
+- To resolve the issue, identify `values.yaml` with `null` object values, and remove those `null` values.
 
 ### Use Annotation-Based Tracking by Default
 
-The default behavior for [tracking resources](../../user-guide/resource_tracking.md) has changed to use annotation-based 
-tracking instead of label-based tracking. Annotation-based tracking is more reliable and less prone to errors caused by 
+The default behavior for [tracking resources](../../user-guide/resource_tracking.md) has changed to use annotation-based
+tracking instead of label-based tracking. Annotation-based tracking is more reliable and less prone to errors caused by
 external code copying tracking labels from one resource to another.
 
 #### Detection
 
-To detect if you are impacted, check the `argocd-cm` ConfigMap for the `application.resourceTrackingMethod` field. If it 
+To detect if you are impacted, check the `argocd-cm` ConfigMap for the `application.resourceTrackingMethod` field. If it
 unset or is set to `label`, you are using label-based tracking. If it is set to `annotation`, you are already using
 annotation-based tracking and are not impacted by this change.
 
diff --git a/manifests/base/config/argocd-cm.yaml b/manifests/base/config/argocd-cm.yaml
index f935337f03b13..393d3fe657b26 100644
--- a/manifests/base/config/argocd-cm.yaml
+++ b/manifests/base/config/argocd-cm.yaml
@@ -70,10 +70,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/core-install-with-hydrator.yaml b/manifests/core-install-with-hydrator.yaml
index 51e7e2ad618e9..229639911f971 100644
--- a/manifests/core-install-with-hydrator.yaml
+++ b/manifests/core-install-with-hydrator.yaml
@@ -24269,10 +24269,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml
index c346caef86005..c2de6b6bcfcff 100644
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -24260,10 +24260,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/ha/install-with-hydrator.yaml b/manifests/ha/install-with-hydrator.yaml
index bc4b055ccb5ba..68f88ad59bb0d 100644
--- a/manifests/ha/install-with-hydrator.yaml
+++ b/manifests/ha/install-with-hydrator.yaml
@@ -24678,10 +24678,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml
index 14ab63ba5e8d5..d5020aa53f0a1 100644
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -24669,10 +24669,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/ha/namespace-install-with-hydrator.yaml b/manifests/ha/namespace-install-with-hydrator.yaml
index 034b8f90aef2a..a4eb47bca8dc0 100644
--- a/manifests/ha/namespace-install-with-hydrator.yaml
+++ b/manifests/ha/namespace-install-with-hydrator.yaml
@@ -513,10 +513,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml
index 41426c32135b7..63ed607b28730 100644
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -504,10 +504,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/install-with-hydrator.yaml b/manifests/install-with-hydrator.yaml
index 627a91485d768..1d33c93698361 100644
--- a/manifests/install-with-hydrator.yaml
+++ b/manifests/install-with-hydrator.yaml
@@ -24629,10 +24629,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/install.yaml b/manifests/install.yaml
index 2f1e5160f6f9d..6c569e62f5741 100644
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -24620,10 +24620,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/namespace-install-with-hydrator.yaml b/manifests/namespace-install-with-hydrator.yaml
index 187c80cf91bdb..cfbbbdb406f92 100644
--- a/manifests/namespace-install-with-hydrator.yaml
+++ b/manifests/namespace-install-with-hydrator.yaml
@@ -464,10 +464,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
index db028431acce5..85aee13abdc58 100644
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -455,10 +455,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds: