Skip to content

Prevent users from referencing Applications in any namespace #1381

New issue
New issue
Open
Open
Prevent users from referencing Applications in any namespace#1381
Labels
enhancementNew feature or request
@notniknot

Description

@notniknot
notniknot
opened on Dec 4, 2025

We are running ArgoCD in a multi-tenant setup with the App-of-Apps pattern allowing users to create their own ArgoCD Application resources in their own namespaces so they can take full ownership. We limit users access by setting up ArgoCD AppProjects so they can only create Applications which deploy in the user's namespaces.

The problem with our setup and argocd-image-updater is that users can reference any application in any namespace via the .spec.namespace field as far as I am concerned. This means that a user could set up an ImageUpdater resource pointing to an Application which is not in their allowed namespaces and trigger an image update of one of the resources managed by said ArgoCD Application resource. Of course, this probably requires harmful intentions and a little bit of insider knowledge about the resources in other namespaces, but nevertheless this could be a risk.

Describe the solution you'd like
Enable admins to set a flag in the argocd-image-updater-controller to only allow ImageUpdate resources which point to Applications which live in the same namespace as the ImageUpdater resource itself.

If I am correct, this should be enough to close this issue.

I already tried to set up an Application in a user's namespace which is not allowed to reconcile based on the ArgoCD RBAC. When I set up an ImageUpdater resource in the same namespace then the Image Updater should not consider that application as it has no managed resources resulting in Image 'nginx/nginx-unprivileged' seems not to be live in this application, skipping. So this means to me that a simple check if .metadata.namespace and .spec.namespace are in sync should be sufficient.

Describe alternatives you've considered

  • The platform team could manage the ImageUpdater resources. But we don't like that solution as we don't want to be the bottleneck for all the devs on our platform. This defeats the purpose of enabling users.
  • Having a dedicated image-updater running in every users namespace with limited access (I did not test that). I would like to prevent that.
  • Running a policy engine which only allows to reference Applications in the same namespace as the ImageUpdater resource (again, I did not test that). Introducing a policy engine for that use case seems to be a little far fetched.

Version
1.0.1

  • CRD-based configuration (versions starting with 1, e.g., 1.0.0)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions