Allow rollbacks when auto-sync is enabled and user does not have "applications update" permission #20600
Labels
component:application-controller
component:rbac
Issues related to Openshift and Racher
enhancement
New feature or request
Comments
todaywasawesome
added
component:application-controller
component:rbac
|
Another approach to this currently would be to use a sync window to stop autosync, at which point your team would be able to rollback without it being overwritten. When you're ready to resume normal operation, delete the sync window. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/ |
|
Planned for 3.0 #19988 I think it is reasonable to make this configurable behind a feature flag, and we remove that feature flag in 3.0. |
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 4, 2024
Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. See also GitHub argoproj#18124, argoproj#20600
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. GitHub argoproj#19988, argoproj#20600
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. See also GitHub argoproj#18124, argoproj#20600
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. GitHub argoproj#19988, argoproj#20600
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600)
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#20600)
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
14 tasks
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
14 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
We would like to allow users to use the rollback feature with apps that have auto-sync enabled, when those users do not have permission to update applications.
Motivation
We currently deploy apps from manifests in a git repository that engineers do not have write access to. For compliance purposes, only the build pipeline can write to this repo, and we do not allow engineers to edit manifests in Argo CD. Furthermore, we enable auto-sync so those apps stay up to date with the latest builds of those apps.
We would like engineers to be able to use the rollback feature, however we cannot do so without granting engineers "update" permissions to their apps. Granting update is required for allowing the engineer to disable auto-sync, but also means that the engineer can edit any of their app's manifests in Argo CD, which does not fit within our compliance requirements.
A possible solution to this problem would be to allow update on applications themselves, while denying edit on any sub-resources. There was a change to allow for fine-grained update/delete RBAC enforcement, however this change does not work for us for two reasons:
The first reason is that it's not actually possible to refer to the Application kind as a sub-resource. The only way to grant update permissions to an Application kind is to also grant update to all of it's sub-resources, meaning we cannot explicitly allow updates for just the Application kind.
p, test-user, applications, update, */*, allowThe second reason is that "allow" on an "update" overrides a deny on sub-resources. As noted in the RBAC documentation, this means we cannot do something like:
Proposal
We propose two possible solutions to this problem:
Etc
Slack thread: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1729785863995189
Related issue: #18124
Related fix: 4905911
The text was updated successfully, but these errors were encountered: