Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.13.2, 1.14.1
Affects Version/s: 1.13.0, 1.14.0, 1.15.0
Component/s: Operator, Rollouts
Labels:

Story Points:
8
Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
GitOps Scarlet - Sprint 3263, GitOps Scarlet - Sprint 3264, GitOps Scarlet - Sprint 6/3265

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

In order to avoid the potential for privilege escalation, cluster administrators (responsible for installing the operator) should specifically identify the namespaces that cluster-scoped Argo Rollouts can be installed to.

The set of valid namespaces for cluster-scoped Argo Rollouts installs is specified (as a comma-separated list) via the CLUSTER_SCOPED_ARGO_ROLLOUTS_NAMESPACES environment variable of the operator.

This allows administrators to ensure that only authorized users have access to those namespaces.

A cluster-scoped Argo Rollouts install – by virtue of having the requirement of writing to objects across all the cluster-namespaces – requires a powerful ClusterRole/Binding. It is thus beneficial to set guard rails on who can access the namespace associated with that install.

See https://docs.google.com/document/d/1ad-4aH7B1fJi7WEEKSzXNpHiz8sebfLCnpaZRhWqIoQ/edit and https://redhat-internal.slack.com/archives/C01RQH8KQ87/p1726093952356569 for implementation details.

Acceptance Criteria (Mandatory)

New env var 'CLUSTER_SCOPED_ARGO_ROLLOUTS_NAMESPACES': Argo Rollouts will only allow installs of cluster-scoped rollouts into these namespaces (will only reconcile RolloutManagers in these namespace, otherwise an error will be set on .status.conditions).
Cluster-scoped Rollouts can be installed into 'openshift-gitops' by default, but only if 'CLUSTER_SCOPED_ARGO_ROLLOUTS_NAMESPACES' is empty.
- Note: we can't hard code a reference to openshift-gitops into the 'argo-rollout-manager' repo, so we will instead need to provide a mechanism for gitops-operator to specify which namespaces are allowed to have cluster-scoped Rollouts installs by default.
- For an example of how specify this in gitops-operator, see https://github.com/redhat-developer/gitops-operator/blob/6953e5a9936f597eed23f0a81fb28d49393b9ad0/cmd/main.go#L234 .
See linked google doc for details.
We will need to backport this to 1.13 and 1.14
Doc updates required:
- We will need to ensure this is documented as a breaking change in 1.13/1.14 docs.
- The example RolloutManager CR on this page should be installed into openshift-gitops namespace. That is, .metadata.namespace should be 'openshift-gitops'
- We should find a spot in the Rollout docs to document the 'CLUSTER_SCOPED_ARGO_ROLLOUTS_NAMESPACES' env var, and how it can be used to install cluster-scoped Argo Rollouts to different namespaces.
Unit/E2E tests

is documented by

RHDEVDOCS-6197 Update the documentation to restrict the cluster-scoped Rollouts installation to user-defined namespace

Pull Request Sent

links to

openshift/openshift-docs#83610: RHDEVDOCS-6201: Content creation for GitOps 1.14.1 RN

openshift/openshift-docs#83678: RHDEVDOCS-6202: Content creation for GitOps 1.13.2 RN

RHBA-2024:139668 Errata Advisory for Red Hat OpenShift GitOps v1.14.1

RHSA-2024:136863 Errata Advisory for Red Hat OpenShift GitOps v1.13.2 security update

Assignee:: Jayendra Parsai

Reporter:: Jonathan West

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/09/27 10:43 AM

Updated:: 2024/11/01 7:20 AM

Resolved:: 2024/10/16 6:57 AM

Details

Description

Acceptance Criteria (Mandatory)

Attachments

Issue Links

Activity

People

Dates