Details
-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
3
-
False
-
None
-
False
Description
Upstream Argo CD specifies a different set of permissions for the application-controller in its role and clusterrole manifests. The permissions in the role are more restrictive as compared the clusterrole permissions.
In the Argo CD operator we currently have the same set of privileges defined for both the application-controller role and clusterrole (https://github.com/argoproj-labs/argocd-operator/blob/master/controllers/argocd/policyrule.go#L14)
We should look into bringing our provided permissions in alignment with upstream, so that we don't grant the application-controller privileges beyond what upstream requires/recommends within a given namespace
Acceptance criteria:
- Application controller role/clusterrole privileges are aligned with upstream Argo CD