Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-1290

Non-admin Argo CD operands through namespace annotations

XMLWordPrintable

    • Non-admin Argo CD operands through namespace annotations
    • False
    • False
    • Done
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      * As an administrative user, when you give Argo CD access to a namespace by using the `argocd.argoproj.io/managed-by` label, it assumes namespace-admin privileges. These privileges are an issue for administrators who provide namespaces to non-administrators, such as development teams, because the privileges enable non-administrators to modify objects such as network policies.
      +
      With the current release, administrators can configure a common cluster role for all the managed namespaces. In role bindings for the Argo CD application controller, the Operator refers to the `CONTROLLER_CLUSTER_ROLE` environment variable. In role bindings for the Argo CD server, the Operator refers to the `SERVER_CLUSTER_ROLE` environment variable. If these environment variables contain custom roles, the Operator does not create the default admin role. Instead, it uses the existing custom role for all managed namespaces.
      link:https://issues.redhat.com/browse/GITOPS-1290[GITOPS-1290]
      Show
      * As an administrative user, when you give Argo CD access to a namespace by using the `argocd.argoproj.io/managed-by` label, it assumes namespace-admin privileges. These privileges are an issue for administrators who provide namespaces to non-administrators, such as development teams, because the privileges enable non-administrators to modify objects such as network policies. + With the current release, administrators can configure a common cluster role for all the managed namespaces. In role bindings for the Argo CD application controller, the Operator refers to the `CONTROLLER_CLUSTER_ROLE` environment variable. In role bindings for the Argo CD server, the Operator refers to the `SERVER_CLUSTER_ROLE` environment variable. If these environment variables contain custom roles, the Operator does not create the default admin role. Instead, it uses the existing custom role for all managed namespaces. link: https://issues.redhat.com/browse/GITOPS-1290 [ GITOPS-1290 ]

      Goal

      When Argo CD is given access to a namespace through annotations, it assumes namespace-admin privileges and can modify objects that are not intended for dev teams to have access to e.g. NetworkPolicies. This is specially a problem for customers who provision namespaces for their dev teams and the dev team is not admin to the namespace. Installing an Argo CD instance in these namespace would give the dev team admin privileges to the namespace and indirectly elevates their assigned privileges. The operator should allow customers to provision Argo CD operands without interfering with assign privileges to the dev teams.

      The limitation is preventing customers from using OpenShift GitOps and they opt for the community Argo CD operator.

      Acceptance Criteria

      • Cluster admin can provision Argo CD for tenants in a multi-tenant environment and give it access to manage namespace content through annotations without the Argo CD assuming namespace-admin privileges.
      • Cluster admin can choose to maintain the existing behaviour and request Argo CD to be namespace-admin

      Why does the customer need this?

      If you label a namespace with argocd.argoproj.io/managed-by: argocd-instance RoleBindings are automatically created in the managed namespace: argocd- instance-argocd-application-controller, argocd-instance-argocd-dex-server, argocd-instance-argocd-redis-ha, argocd-instance-argocd-server. These Roles are high privileged and can delete all resources. In our context we don't want that NetworkPolicies could be deleted. So it would be nice if these Roles could be hardened.

              cbanavik Chetan Banavikalmutt
              rhn-support-npaez Nelson Paez
              Votes:
              2 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: