Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support User Impersonation #3376

Closed
zoetrope opened this issue Apr 7, 2020 · 5 comments
Closed

Support User Impersonation #3376

zoetrope opened this issue Apr 7, 2020 · 5 comments
Labels
component:sso Issues related to Argo CD configurations enhancement New feature or request type:usability Enhancement of an existing feature

Comments

@zoetrope
Copy link

zoetrope commented Apr 7, 2020

Summary

Application-controller impersonates a user when synchronizing applications.

By impersonating a user, we can restrict resource operations using Kubernetes RBAC.
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation

Motivation

ArgoCD already has a feature to restrict resource operations such as ClusterResourceWhitelist, NamespacedResourceBlacklist.
However, most of Kubernetes users already have Kubernetes RBAC configurations.
Therefore, we need to manage similar information doubly.

With support for user impersonation, a restriction will be based on a single source of truth.

Proposal

Add the following fields impersonateUser and impersonateGroups to AppProject resource.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: impersonation-sample
spec:
  impersonateUser: "system:serviceaccount:myns:mysa"
  impersonateGroups:
  - "system:authenticated"

Application-controller impersonates user and group using the above settings to deploy applications.

See PR in detail.
@zoetrope zoetrope added the enhancement New feature or request label Apr 7, 2020
@zoetrope zoetrope mentioned this issue Apr 7, 2020
Closed
5 tasks
@jannfis jannfis added component:sso Issues related to Argo CD configurations type:usability Enhancement of an existing feature labels May 14, 2020
@jannfis jannfis mentioned this issue Jan 20, 2021
Open
@sathieu
Copy link
Contributor

sathieu commented Mar 12, 2021

What about using Kubernetes authentication? The way kubeapps does (watchers can still be cluster-wide, but read-only).

@zoetrope
Copy link
Author

ApplicationSet will solve these problems.

@mlbiam
Copy link
Contributor

mlbiam commented Apr 27, 2021

@zoetrope taking a look at ApplicationSets, is the thinking that the ApplicationSets controller would run as a specific ServiceAccount and would provision with that ServiceAccount?

@zoetrope
Copy link
Author

@mlbiam
Sorry for the late reply.

No, it does not mean that ApplicationSet run as a specific ServiceAccount.
However, the problem I was facing was solved by ApplicationSet, which removed my motivation for User Impersonation.

If anyone else wants this feature, I can reopen this issue.

@schollii
Copy link

@zoetrope can you explain how it solved it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:sso Issues related to Argo CD configurations enhancement New feature or request type:usability Enhancement of an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zoetrope @sathieu @schollii @jannfis @mlbiam