Enable fine-grained update/delete RBAC enforcement by default #19988
Labels
Milestone
Comments
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. GitHub argoproj#19988, argoproj#20600
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. GitHub argoproj#19988, argoproj#20600
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600)
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#20600)
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
14 tasks
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Nov 5, 2024
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
14 tasks
|
I think instead of introducing a breaking change we should create a new mechanism for setting permissions for applications themselves only. Maybe we introduce the new permission terms like |
|
We're very happy to do that instead. I'll bring it up at the meeting today. |
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 7, 2025
…j#20600) We don't know if this will go out with v3, and furthermore, the name is not very descriptive. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 8, 2025
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 8, 2025
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 8, 2025
…j#20600) We don't know if this will go out with v3, and furthermore, the name is not very descriptive. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 8, 2025
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 8, 2025
…oj#19988) Change applications resource RBAC to use fine-grained update/delete enforcement by default. This allows us to enforce RBAC on the application itself, separately from the sub-resources related to it. (see also argoproj#18124, argoproj#20600) Signed-off-by: Matt Finkel <[email protected]>
fffinkel
added a commit
to fffinkel/argo-cd
that referenced
this issue
Jan 8, 2025
A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
In 2.12 we introduced new RBAC for fine-grained update/delete in #18124. To keep backward compatibility, the
applications, updateandapplications, deleterbac implicitly grant permissions to update/delete application's resources.Motivation
Streamline behavior that was not possible without breaking changes.
Proposal
With the new fine-grained RBAC,
applications, updateandapplications, deletegive permission to manually edit/delete the Application, whileapplications, update/*andapplications, delete/*are used for applications sub-resources.The built-in policy should be updated to add
applications, update/*andapplications, delete/*forrole:adminto preserve current privilege.The text was updated successfully, but these errors were encountered: