Summary

When using ArgoCD with resource.respectRBAC set to strict and a namespace-scoped installation, creating a namespace and its resources in a single Application fails. This happens because ArgoCD tries to check the state of namespaced resources before the namespace (and its RBAC RoleBinding) exists, resulting in a 403 Forbidden error and aborting the sync.

Motivation

Our setup is as follows:

• ArgoCD ServiceAccount has global permissions only to list and get all namespaces and to create new namespaces. It does not have any other cluster-wide rights.
• Kyverno is configured with a generate policy: whenever a new namespace is created, Kyverno automatically creates a RoleBinding in that namespace, granting the namespace creator the ClusterRole admin.
• All other permissions for managing resources inside the namespace come from this Kyverno-generated RoleBinding.

Our intended workflow:

• ArgoCD creates a new namespace.
• Kyverno detects the new namespace and grants the creator (via RoleBinding) the admin ClusterRole in that namespace.
• ArgoCD then creates resources (like ServiceAccounts) inside the new namespace.

Currently, ArgoCD’s comparison phase blocks this flow, making it impossible to use a single Application for this common and secure use-case.

Proposal

Change ArgoCD’s CompareAppState behavior so that:

• If a namespace does not exist yet, ArgoCD should assume that namespaced resources inside it are also absent, instead of trying to fetch them and failing with Forbidden.
• This would allow the sync to proceed: first creating the namespace, then letting Kyverno generate the RoleBinding, and finally creating the namespaced resources.