You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have realised that we can not define a deny policy for access to it. We tried to enable access to some users and deny access by default, but it didn't work. All users have access to the terminal and can exec commands on it even though we haven't explicitly granted the privilege.
Setting a deny all RBAC rule in the ArgoCD configmap does nothing, I still have access to the ArgoCD terminal.
From my policy.csv in argocd-rbac-cm configmap (deployed with the helm chart):
p, role:basic-role, exec , create, */*, deny #deny all by default
p, role:myteam, exec, create, */*/test-549d8cb99d-ssgwt, allow #allow access to a specific pod name
This is what we have for default base policy:
policy.default: role:basic-role
Is it possible to have a fine grain control access for a specific role?
How is this suppose to be done?
What are we doing wrong?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Enabling the web based terminal in ArgoCD following this documentation:
https://argo-cd.readthedocs.io/en/latest/operator-manual/web_based_terminal/
We have realised that we can not define a deny policy for access to it. We tried to enable access to some users and deny access by default, but it didn't work. All users have access to the terminal and can exec commands on it even though we haven't explicitly granted the privilege.
Setting a deny all RBAC rule in the ArgoCD configmap does nothing, I still have access to the ArgoCD terminal.
From my policy.csv in argocd-rbac-cm configmap (deployed with the helm chart):
This is what we have for default base policy:
Is it possible to have a fine grain control access for a specific role?
How is this suppose to be done?
What are we doing wrong?
Beta Was this translation helpful? Give feedback.
All reactions