Clarification on Ownership w/ ApplicationSet Controller in Any Namespace Mode

[noamichael]

Hey everyone. I was debating opening an issue about this and making a PR to "fix it," but I'm not sure about the intended behavior.

Currently, ArgoCD's ApplicationSet controller has a feature where it can watch for ApplicationSet objects in any namespace. The controller parameter --applicationset-namespaces controls the list of Namespaces that should be monitored. However, the ApplicationSetReconciler will actually still receive Update/Delete/Generic events for ApplicationSet objects created in any namespace, so (from my testing) it will attempt to update ApplicationSet objects outside it's namespace list:

argo-cd/applicationset/controllers/applicationset_controller.go

Lines 513 to 519 in aff5e61

	func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
	return predicate.Funcs{
	CreateFunc: func(e event.CreateEvent) bool {
	return utils.IsNamespaceAllowed(namespaces, e.Object.GetNamespace())
	},
	}
	}

Is this a security design choice? As in, if a user creates an AppSet somehow and the "Cluster-Wide" ArgoCD doesn't monitor the namespace of the AppSet, it's suppose to delete it?

I ran into this issue because I had a Cluster-Wide ArgoCD deployed and I attempted to deploy a namespaced ArgoCD as well in the same Kubernetes cluster. When ApplicationSet Any Namespace was enabled, the Cluster-wide Argo started deleting the namespaced ArgoCD's App sets.

Please let me know the expected behavior.