Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Fine grained update delete RBAC w/ v3 gate #20671

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: Fine grained update delete RBAC w/ v3 gate #20671

wants to merge 3 commits into from

Conversation

fffinkel
Copy link

@fffinkel fffinkel commented Nov 5, 2024
edited
Loading

We would like to allow our engineers to use the rollback functionality while having auto-sync enabled, without granting them the ability to edit an application's sub-resource manifests. For compliance purposes, we can only deploy using a known set of manifests from a protected source, which is the git repo holding our manifests that engineers do not have access to.

Using the rollback functionality when auto-sync is enabled requires the user to disable auto-sync, which in turn requires update permissions on the application itself. We can allow this by doing the following:

p, my-user, applications, update, */*, allow

However, this will also allow engineers to edit application manifests. It follows that we would like to add a deny for the application's sub-resources, but as the RBAC documentation states, this deny is ignored.

This PR changes application resource RBAC to allow users to set separate update/delete permissions for the application itself, but still deny sub-resources. We can then do something like this:

p, my-user, applications, update, */*, allow
p, my-user, applications, update/*/Deployment/*, */*, deny

It introduces a breaking change to RBAC (see #19988), so it will have to wait until V3. To allow this functionality in V2, a config value (server.rbac.enablev3 in argocd-cm) was added that allows the user to opt in to this new behavior. I did my best to implement #19988 in the first commit, and then to add the config value gating in a following commit, so that the first commit can be cherry-picked or the second commit reverted when the V3 release is cut.

RBAC docs: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#fine-grained-permissions-for-updatedelete-action

Closes #20600

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
a5f8e15 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <[email protected]>
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
bfb52e4 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <[email protected]>
@fffinkel
Add ZipRecruiter to USERS.md
f258ae5 
Signed-off-by: Matt Finkel <[email protected]>
@fffinkel fffinkel requested review from a team as code owners November 5, 2024 18:48
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Nov 5, 2024
edited
Loading

✅ Preview Environment deployed on Bunnyshell

Component Endpoints
argocd https://argocd-nu5kcf.bunnyenv.com/
argocd-ttyd https://argocd-web-cli-nu5kcf.bunnyenv.com/

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔴 /bns:stop to stop the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@codecov Codecov
Copy link

codecov bot commented Nov 5, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 29.41176% with 12 lines in your changes missing coverage. Please review.

Project coverage is 55.07%. Comparing base (b9d5387) to head (f258ae5).
Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
util/settings/settings.go 0.00% 9 Missing ⚠️
server/application/application.go 62.50% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #20671      +/-   ##
==========================================
- Coverage   55.10%   55.07%   -0.04%     
==========================================
  Files         324      324              
  Lines       55262    55277      +15     
==========================================
- Hits        30452    30443       -9     
- Misses      22183    22215      +32     
+ Partials     2627     2619       -8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow rollbacks when auto-sync is enabled and user does not have "applications update" permission
1 participant
@fffinkel