Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-3032

Default Argo CD instance role narrowing

XMLWordPrintable

    • Default Argo CD instance role narrowing
    • 3
    • False
    • None
    • False
    • To Do
    • Hide
      With this update, the default Argo CD instance in the `openshift-gitops` namespace will have restricted permissions for non-admin users by default. This change will improve security since non-admin users will no longer be able to view the applications and other resources managed by the default Argo CD instance which can sometimes contain sensitive information. Please note that this change only applies to the default gitops instance and other customer managed ArgoCD instances will continue working as before with just the read-only role. Non-admin users who wish to have access to the resources managed by the default `openshift-gitops` Argo CD instance should configure their Argo CD RBAC to give the user the correct permissions. (maybe include a link with this to https://docs.openshift.com/container-platform/4.12/cicd/gitops/configuring-argo-cd-rbac.html)
      Show
      With this update, the default Argo CD instance in the `openshift-gitops` namespace will have restricted permissions for non-admin users by default. This change will improve security since non-admin users will no longer be able to view the applications and other resources managed by the default Argo CD instance which can sometimes contain sensitive information. Please note that this change only applies to the default gitops instance and other customer managed ArgoCD instances will continue working as before with just the read-only role. Non-admin users who wish to have access to the resources managed by the default `openshift-gitops` Argo CD instance should configure their Argo CD RBAC to give the user the correct permissions. (maybe include a link with this to https://docs.openshift.com/container-platform/4.12/cicd/gitops/configuring-argo-cd-rbac.html)
    • GITOPS Sprint 3244

      Epic Goal

      The `openshift-gitops` namespace no longer ships with readonly permissions 

      Why is this important?

      Customers in highly regulated industries have strict requirements around who can see what data. The way that we create our default namespace today means that there is an information leak in the OpenShift console.

      The upstream Argo CD already doesn't include a readonly permission for its default installation. 

      Scenarios

      1. Any logged in OCP users are able to see what resources are managed by that default instance

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • The `openshift-gitops` namespace's default role is set to "" instead of `role:readonly`

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions:

      1. ...

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

              anjoseph Anand Francis Joseph
              halawren@redhat.com Harriet Lawrence
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: