Agents should check if requested resource from resource proxy belongs to a managed Application #291
Labels
enhancement
New feature or request
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Right now, the resource proxy can request any resource on the agent systems that the agent has RBAC permissions for. Authorization is done solely by the Argo CD API running on the principal, and the subsequent requests trust this request. As of now, there is no sensible way to carry this authorization to the agent.
Describe the solution you'd like
When the agent receives a request for resource retrieval, it should check whether that resource belongs to an Application managed by Argo CD. Since some resources are not directly managed (for example, pods are indirectly managed through a ReplicaSet, which in turn is usually indirectly managed by something like a Deployment or StatefulSet), the agent should be able to resolve such a relationship (i.e. by following ownerReferences).
If the requested resource is not managed by Argo CD, a 403 should be returned.
In a next step, a sanity check against AppProject permissions can be performed.
Describe alternatives you've considered
n/a
Additional context
n/a
The text was updated successfully, but these errors were encountered: