-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent unintended usage of "replace" #14161
Comments
Implementing RBAC for Sync Options would be good addition and will enforce stricter access controls and define precise permissions with regards synchronisation actions within an Argo CD Application. Is there any update on this being implemented ? |
I'll +1 this - I want to give users the ability to sync their apps, but doing so currently also means they can totally wipe it out. It'd be nice to implement fine-grained controls for the |
Is there a way around it? Can I give sync permissions but don't allow |
@jeremyrajan not today |
I'm planning to work on this an implement an option in the config which allows to hide the button. UI would query that data from the backend and not render a button at all if configured so. |
Extra UI friction may not be as helpful, since people may ignore it anyways as they can ignore the warning icon near the checkbox. |
@todaywasawesome, which configmap is best for putting the option in? Is it |
Tell more about possible practical implications of sync with replace such as pods scaling down to min replicas. Signed-off-by: Andrii Korotkov <[email protected]>
Helps with argoproj#14161 Tell more about possible practical implications of sync with replace such as pods scaling down to min replicas. Signed-off-by: Andrii Korotkov <[email protected]>
Helps with argoproj#14161 Tell more about possible practical implications of sync with replace such as pods scaling down to min replicas. Signed-off-by: Andrii Korotkov <[email protected]>
Seems like RBAC already has a support for rules about resource deletion https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#fine-grained-permissions-for-updatedelete-action. Somebody brought this up during the contributors meeting, that checking for resource deletion permission can be done. Given possibility to customize like above, I think it will solve the problem. |
@todaywasawesome, @crenshaw-dev, @nitishfy, @agaudreault, do you know where's the code which checks for sync permissions, i.e. if the rbac allows to sync an application? I've tried to check in SyncAppState, but only found checks for group/kind and destination. |
Btw, does sync with prune checks for deletion permissions? If not, should it be added as well? |
Helps with #14161 Tell more about possible practical implications of sync with replace such as pods scaling down to min replicas. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
I think the proposal needs to be more clearly/specifically defined. For example, I think an RBAC-based system checking for |
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
…proj#14161) Closes argoproj#14161 Sync with replace can be quite dangerous, but we currently allow it if the sync is allowed. Since sync with replace deletes resources and recreates them, it's reasonable to check deletion permissions for application and/or specific resources. Let's cherry-pick this to 2.13. Signed-off-by: Andrii Korotkov <[email protected]>
@crenshaw-dev, @agaudreault, continuing the conversation here instead of the PR. To summarize: The current proposal:
Some caveats:
Feel free to summarize the things I've missed. |
Based on some other things discussed, maybe indeed coming up with a new permission action like |
I think the solution with the least caveats would be to add To support partial-sync, these actions could either be expressed with So you would have
This way there's only 1 rbac check done in the server based on the request options. If app or individual resources are configured with annotations, then it is not a user action and does not need to go through rbac. |
Yep I think I agree with all the above. But given the cognitive and maintenance costs of new RBAC verbs, and given that the use case seems primarily for accident avoidance rather than security constraints, I think we should seriously consider non-RBAC mitigations. |
I like the idea of separate RBAC permission, though it'd add a bit of configuration and maintenance overhead. Though people would still probably have to give broad sync with replace permissions, if they wanna be able to click a checkbox in UI for the whole app. Application controller can also check RBAC when it knows the diff and actual resources to be replaced. But it'd be inconsistent with how server RBAC checks work (give immediate feedback). If we configure on app or app project level, we need some granularity on resource types, since sometimes people would want replace to update immutable fields. Where RBAC is making it easier is when you can configure some kind of power user permission allowing to do sync with replace, but make it not granted by default and be requestable through Opal for example (or whatever system is used). |
There's a tricky part with the annotations approach. Allowing disabling auto sync via UI requires applications update permission turned on. But this is wider than desired, allowing people to add annotations they want. So it'd add friction, but won't prevent people from doing sync with replace. |
@crenshaw-dev, I think the new verbs for RBAC may not be that bad from a technical perspective. But cognitive one may be more impactful. |
Can you guys share more of your experience for a summary of valid use cases of sync with replace, please? E.g. how often would it make sense to do it for a whole application? How are people supposed to do sync for most of resources, but sync with replace for a small subset? |
Here are some thoughts on how the sync with replace can and supposed to work. Here are some properties (I think):
Thus, a need for sync with replace shouldn't be a property of the resource or application, since it'd be an overkill. It's a property of a specific update that needs to be done. I think we should have a sync with a conditional replace instead, i.e. only replace if apply returned errors about immutable fields. This kind of operation would not really have the same level of danger as the current sync with replace, and perhaps we don't need any RBAC or non-RBAC changes as we need with the current sync with replace. What do you think? |
Summary
Make it possible to prevent the unintended usage of "replace" in UI sync options.
Motivation
To update resources by "kubectl replace" is dangerous under certain conditions. It already has a warning sign, but some might want to disable the usage completely. See #9767 also. It is very present in UI sync options and unfortunately it is likely impossible to block "replace" through kubernetes RBAC or other measures like OPA.
Proposal
The text was updated successfully, but these errors were encountered: