Introduce RBAC based approach to pod logs #7211
Assignees
Labels
Comments
|
a must ! |
|
ASAP ! :) |
|
i am struggling to see logs, and my clients are too.. |
|
ASAP!!!!!!!!! |
|
So we are going for the RBAC approach, treating the "logs" as a sub-resource. |
|
By default, we deny all (sub-) resources and they would have to be explicitly allowed. When we change the behavior to default allow only to this particular resource, imho this would be utterly confusing. In yesterday's community meeting, we discussed having a global flag to disable the RBAC enforcement on logs resource, so that people can set it when upgrading and don't have to care about RBAC rules yet. If they have put the appropriate RBAC rules in place, they can remove the global flag again and RBAC would be enforced on the logs resource. This flag would probably only available for one intermediate release, before making logs RBAC mandatory. The problem that we had identified is, that you can't come up with the RBAC rules for a new (sub-) resource before the upgrade, because there is some validation of the rules. So when this feature gets released in version N, you can't put the appropriate rules in place in release N-1. And since people possibly have a lot of RBAC rules especially attached to AppProjects, this may have severe consequences on some orgs. I guess we didn't go into details how this flag would look like (e.g. an environment variable, a command line switch, or similar), so this is something we'd still have to figure out. /cc @alexmt @jessesuen |
|
I also think that the title of this issue and the details should be adapted to reflect that this is not a UI-only change and that we're gonna introduce a new RBAC resource and enforcement in the API. |
reggie-k
changed the title
|
For the intermediate release then, shall I set a param named server.rbac.project.log.enforce with a "false" value in argocd-cmd-params-cm.yaml? The motivation for such naming convention is to clearly denote resource nesting, in favor of possible new future (sub)-resources. Should the param be also supported as an env on the server deployment for the sake of those who use the old configuration method? Another thought, most of the existing resources support CRUD actions, while only "get" action is relevant for log resource. Shall I treat that in some dedicated way? |
I think
The way parameters in
I think we don't need to handle that specially. The enforcement methods in the API will query whether a given action (i.e. |
|
As for the intermediate release - what would be the path we follow? A:
B:
Any other alternatives? |
|
Regarding the parameter for the intermediate release:
Or this is not something to worry about and covering it in the docs should be enough? |
crenshaw-dev
pushed a commit
that referenced
this issue
Mar 18, 2022
* initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * rebase fix Signed-off-by: reggie-k <reginakagan@gmail.com> * updated docs for argocd-cm.yaml Signed-off-by: reggie-k <reginakagan@gmail.com>
wojtekidd
pushed a commit
to wojtekidd/argo-cd
that referenced
this issue
Apr 25, 2022
…oj#8353) * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * rebase fix Signed-off-by: reggie-k <reginakagan@gmail.com> * updated docs for argocd-cm.yaml Signed-off-by: reggie-k <reginakagan@gmail.com> Signed-off-by: wojtekidd <wojtek.cichon@protonmail.com>
|
Discussed in contributor experience meeting, the consensus was to just add a notice in the docs and release notes that the UI will throw this error when enabled. The feature is essentially complete from the backend standpoint so we feel it's worth moving forward. @reggie-k Can you add a note to docs and release notes? |
|
https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/upgrading/2.3-2.4.md is the specific file I was thinking of probably needing a note. :-) |
Thanks, in order to change the release notes to also contain that note, do I edit the CHANGELOG.md directly? |
|
I've wondered the same. @alexmt how can we make sure something makes it into the release notes? |
|
Here is the relevant PR: |
sujeilyfonseca
added a commit
to sujeilyfonseca/argo-cd
that referenced
this issue
Sep 19, 2022
* Merge pull request from GHSA-pmjg-52h9-72qv Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fixes from comments Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Merge pull request from GHSA-7943-82jg-wmw5 * add tests to demonstrate issue Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> docs Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> settings tests Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> tests for OIDC handlers, consolidating test helpers Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> consolidate Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> consolidate Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> docs Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * fix log message Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Bump version to 2.4.5 * Bump version to 2.4.5 * test: check for error messages from CI env (argoproj#9953) test: check for error messages from CI env (argoproj#9953) Signed-off-by: CI <michael@crenshaw.dev> * docs: getting started notes on self-signed cert (argoproj#9429) (argoproj#9784) * Fix argoproj#9429: A couple of notes in the docs to explain that the default certificate is insecure. Signed-off-by: Jim Talbut <jim.talbut@groupgti.com> * Fixes argoproj#9429: More verbose, but complete, text for Getting Started. Signed-off-by: Jim Talbut <jim.talbut@groupgti.com> * docs: Document the possibility of rendering Helm charts with Kustomize (argoproj#9841) * Update kustomize.md Resolves argoproj#7835. Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com> * Removed unnecessary command flag from example. Minor text edits. Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com> * spelling Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com> * docs: small fix for plugin stream filtering (argoproj#9871) Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * argoproj#9429: Adding blank line so list is formatted correctly. (argoproj#9880) Signed-off-by: CI <michael@crenshaw.dev> * fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) (argoproj#9821) * fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp> * Add submodule functions and unit tests Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp> * fix: Make change of tracking method work at runtime (argoproj#9820) * fix: Make change of tracking method work at runtime Signed-off-by: jannfis <jann@mistrust.net> * GetAppName() will figure tracking label or annotation on its own Signed-off-by: jannfis <jann@mistrust.net> * Correct test comments and add another test Signed-off-by: jannfis <jann@mistrust.net> * Add a read lock before getting cache settings Signed-off-by: jannfis <jann@mistrust.net> * fix: Check tracking annotation for being self-referencing (argoproj#9791) * fix: Check tracking annotation for being self-referencing Signed-off-by: jannfis <jann@mistrust.net> * Tweak isManagedLiveObj() logic Signed-off-by: jannfis <jann@mistrust.net> * Rename isManagedLiveResource to isSelfReferencedObj Signed-off-by: jannfis <jann@mistrust.net> * Add e2e test Signed-off-by: jannfis <jann@mistrust.net> * fix: add missing download CLI tool link for ppc64le, s390x (argoproj#9649) Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> * fix: NotAfter is not set when ValidFor is set (argoproj#9911) Signed-off-by: yongguangl <1363186473@qq.com> * fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (argoproj#9922) * fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * fix timeouts across all gRPC servers Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * use common consts Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * fix: argocd login just hangs on 2.4.0 argoproj#9679 (argoproj#9935) Signed-off-by: Xiao Yang <muma.378@163.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * test: Use dedicated multi-arch workloads in e2e tests (argoproj#9921) * test: Use dedicated multi-arch workloads in e2e tests Signed-off-by: jannfis <jann@mistrust.net> * Use correct tag Signed-off-by: jannfis <jann@mistrust.net> * feat: Treat connection reset as a retryable error (argoproj#9739) Signed-off-by: Yuan Tang <terrytangyuan@gmail.com> * fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) (argoproj#9895) * fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * make things more like they were originally, since the mutex fixes the problem Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * fix typo, don't pass around a pointer when it isn't necessary Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * docs: add terminal documentation (argoproj#9948) Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * docs: fix typo in Generators-Git.md (argoproj#9949) `ApplictionSet` --> `ApplicationSet` Signed-off-by: CI <michael@crenshaw.dev> * chore: fix build error Signed-off-by: CI <michael@crenshaw.dev> * Bump version to 2.4.6 * Bump version to 2.4.6 * docs: supported versions (argoproj#9876) * docs: supported versions Signed-off-by: Kostis Kapelonis <kostis@codefresh.io> * docs: supported versions feedback Signed-off-by: Kostis Kapelonis <kostis@codefresh.io> * fix: add missing download CLI tool URL response for ppc64le, s390x (argoproj#9983) Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> * fix: e2e test to use func from clusterauth instead creating one with old logic (argoproj#9989) Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * fix: updated all a tags to Link tags in app summary (argoproj#9777) * fix: updated all a tags to Link tags Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com> * fix: revert external links to a tags Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com> * fix: linting Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com> * docs: simplify Docker toolchain docs (argoproj#9966) (argoproj#10006) * docs: simplify Docker toolchain docs (argoproj#9966) Signed-off-by: CI <michael@crenshaw.dev> * to be or not to be Signed-off-by: CI <michael@crenshaw.dev> * pin dependencies to avoid absurdity Signed-off-by: CI <michael@crenshaw.dev> * docs: document directory app include/exclude fields (argoproj#9997) Signed-off-by: CI <michael@crenshaw.dev> * fix: terminal websocket write lock to avoid races (argoproj#10011) * fix: protect terminal WriteMessage with a lock Signed-off-by: CI <michael@crenshaw.dev> * give write its own lock Signed-off-by: CI <michael@crenshaw.dev> * docs: use quotes to emphasize that ConfigMap value is a string (argoproj#9995) Signed-off-by: CI <michael@crenshaw.dev> * Support files in argocd.argoproj.io/manifest-generate-paths annotation (argoproj#9908) Signed-off-by: Jim Wright <jmwri93@gmail.com> * chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (argoproj#9826) Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Bump version to 2.4.7 * Bump version to 2.4.7 * chore: update haproxy to 2.0.29 for redis-ha (argoproj#10045) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * chore: update redis to avoid CVE-2022-2097 (argoproj#10031) * chore: update redis to avoid CVE-2022-2097 Signed-off-by: CI <michael@crenshaw.dev> * codegen Signed-off-by: CI <michael@crenshaw.dev> * chore: upgrade Dex to 2.32.0 (argoproj#10036) (argoproj#10042) Signed-off-by: CI <michael@crenshaw.dev> * docs: add argocd-server grpc metric usage (argoproj#10007) Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com> Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com> Signed-off-by: CI <michael@crenshaw.dev> * chore: update redis to 7.0.4 avoid CVE-2022-30065 (argoproj#10059) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * fix: Set HOST_ARCH for yarn build from platform (argoproj#10018) Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> * docs: add api field example in the appset security doc (argoproj#10087) It seems like most of the work for the mentioned issue below is done under the PR argoproj#9466 but from the issue description, it's probably worth to mention the example as added here. Related argoproj#9352 Signed-off-by: Sahdev Zala <spzala@us.ibm.com> * chore: update parse-url (argoproj#10101) * chore: upgrade parse-url Signed-off-by: CI <michael@crenshaw.dev> * edit a generated file, because that's smart Signed-off-by: CI <michael@crenshaw.dev> * fix: avoid CVE-2022-28948 (argoproj#10093) Signed-off-by: CI <michael@crenshaw.dev> * docs: add OpenSSH breaking change notes (argoproj#10104) Signed-off-by: CI <michael@crenshaw.dev> * fix: skip redirect url validation when it's the base href (argoproj#10058) (argoproj#10116) * fix: skip redirect url validation when it's the base href (argoproj#10058) Signed-off-by: CI <michael@crenshaw.dev> nicer way of doing it Signed-off-by: CI <michael@crenshaw.dev> * fix missin arg Signed-off-by: CI <michael@crenshaw.dev> * fix: upgrade moment from 2.29.2 to 2.29.3 (argoproj#9330) Snyk has created this PR to upgrade moment from 2.29.2 to 2.29.3. See this package in npm: See this project in Snyk: https://app.snyk.io/org/argoproj/project/d2931792-eef9-4d7c-b9d6-c0cbd2bd4dbe?utm_source=github&utm_medium=referral&page=upgrade-pr Signed-off-by: CI <michael@crenshaw.dev> * chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (argoproj#9897) Bumps [moment](https://github.com/moment/moment) from 2.29.3 to 2.29.4. - [Release notes](https://github.com/moment/moment/releases) - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](moment/moment@2.29.3...2.29.4) Signed-off-by: CI <michael@crenshaw.dev> --- updated-dependencies: - dependency-name: moment dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: support multiple extensions per resource group/kind (argoproj#9834) * feat: support multiple extensions per resource group/kind Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * apply reviewers suggestions Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * apply reviewer notes: stream extension files one by one Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * wrap errors Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * skip symlinks Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * feat: support application level extensions (argoproj#9923) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * fix: extensions is not loading for ConfigMap/Pods (argoproj#10010) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * Bump version to 2.4.8 * Bump version to 2.4.8 * docs: Fixed indentation Error (argoproj#10123) * Fixed indentation Error Signed-off-by: iflan7744 <iflan_mohamed@yahoo.com> * Fixed indentation Error for top-level data key Signed-off-by: iflan7744 <iflan_mohamed@yahoo.com> Co-authored-by: iflan7744 <iflan_mohamed@yahoo.com> Signed-off-by: CI <michael@crenshaw.dev> * docs: fix kustomize namePrefix misconception in application.yaml (argoproj#10162) * Update docs/operator-manual/application.yaml - Removed comment about what namePrefix does. (i.e. it does not add a prefix to the image) - Added examples of other supported transformers. (based on looking at the source code) - Added link to the kustomize docs where the transormers are described in more detail. * Update kustomize casing to be consistent Signed-off-by: whyvez <yves@premise.com> * docs: improve Installation.md (argoproj#10173) Signed-off-by: xin.li <xin.li@daocloud.io> * docs: Use ConfigMap to disable TLS (argoproj#10106) * docs: Use ConfigMap to disable TLS Signed-off-by: Renaud Guerin <renaud@renaudguerin.net> * Fix typo Signed-off-by: Renaud Guerin <renaud@renaudguerin.net> * docs: correct the api field description for the GitLab example (argoproj#10081) The api field description for the GitLab example seems mistakenly copied from the GitHub example. Signed-off-by: Sahdev Zala <spzala@us.ibm.com> * fix: Ignore non-self-referencing resources while pruning (argoproj#10198) * fix: Ignore non-self-referencing resources while pruning Signed-off-by: jannfis <jann@mistrust.net> * fix: UI part for logs RBAC - do not display the logs tab when no RBAC in place (argoproj#7211) (argoproj#9828) * show logs tab only upon explicit rbac allow policy Signed-off-by: reggie-k <reginakagan@gmail.com> * 2.4.7 docs edit Signed-off-by: reggie-k <reginakagan@gmail.com> * fix: Drop all references to exec unless the feature is enabled (argoproj#9920) (argoproj#10187) * fix: Drop all references to exec unless the feature is enabled argoproj#9920 Signed-off-by: Patrick Kerwood <patrick@kerwood.dk> * fixed tslint issues Signed-off-by: Patrick Kerwood <patrick@kerwood.dk> * docs(applicationset): fix layout matrix/merge generator restrictions (argoproj#10246) Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com> * docs: fix microsoft user management mapping role (argoproj#10251) Signed-off-by: CI <michael@crenshaw.dev> * docs: Document ignoreAggregatedRoles setting (argoproj#10206) Signed-off-by: Brandon High <highb@users.noreply.github.com> * docs: fix version reference for logs UI fix (argoproj#10245) Signed-off-by: CI <michael@crenshaw.dev> * Bump version to 2.4.9 * Bump version to 2.4.9 * docs: clusterResources in declarative cluster config (argoproj#10219) * docs: clusterResources in declarative cluster config Signed-off-by: CI <michael@crenshaw.dev> * add article Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) (argoproj#10287) * fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) Signed-off-by: CI <michael@crenshaw.dev> * remove duplicate line Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * fix: Suppressed ssh scheme url warn log (argoproj#9836) * Fixed ssh scheme warn log degrade by argoproj#8508 Signed-off-by: kenchan0130 <tt.tanishi100@gmail.com> * Expanded repository type getCAPath testing Signed-off-by: kenchan0130 <tt.tanishi100@gmail.com> * docs: Document safe concurrent processing of sidecar CMP (argoproj#10336) Signed-off-by: jsmcnair <john.mcnair@yellowdog.co> Signed-off-by: jsmcnair <john.mcnair@yellowdog.co> * docs: Add "Create Namespace" to sync options doc (argoproj#3490) (argoproj#10326) * Add create namespace to the sync options doc Signed-off-by: JesseBot <jessebot@linux.com> * Update docs/user-guide/sync-options.md Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: JesseBot <jessebot@linux.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> * fix: missing actions (argoproj#10327) (argoproj#10359) Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * Bump version to 2.4.10 * Bump version to 2.4.10 * docs: fix typo in upgrade notes (argoproj#10377) Signed-off-by: Xijun Dai <daixijun1990@gmail.com> Signed-off-by: Xijun Dai <daixijun1990@gmail.com> * fix: Correctly assume cluster-scoped resources to be self-referenced (argoproj#10390) Signed-off-by: jannfis <jann@mistrust.net> Signed-off-by: jannfis <jann@mistrust.net> * Pin gitops-engine to v0.7.3 Signed-off-by: jannfis <jann@mistrust.net> * Bump version to 2.4.11 * Bump version to 2.4.11 * docs: Changes for v2.4.11 Updated the CHANGES.md to represent what changes the pull request will introduce. Contributes to: automation-saas/native-AWS#2523 Signed-off-by: Sujeily Fonseca <sujeily.fonseca@ibm.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Co-authored-by: argo-bot <argoproj@gmail.com> Co-authored-by: YaytayAtWork <jim.talbut@groupgti.com> Co-authored-by: Didrik Finnøy <djfinnoy@protonmail.com> Co-authored-by: Jake <86763948+notfromstatefarm@users.noreply.github.com> Co-authored-by: Shunki <75064402+shunki-fujita@users.noreply.github.com> Co-authored-by: jannfis <jann@mistrust.net> Co-authored-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> Co-authored-by: yongguangl <1363186473@qq.com> Co-authored-by: Xiao Yang <muma.378@163.com> Co-authored-by: Yuan Tang <terrytangyuan@gmail.com> Co-authored-by: taksenov <TAksenov@users.noreply.github.com> Co-authored-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com> Co-authored-by: rishabh625 <43094970+rishabh625@users.noreply.github.com> Co-authored-by: Soumya Ghosh Dastidar <44349253+gdsoumya@users.noreply.github.com> Co-authored-by: Jim Wright <jmwri@users.noreply.github.com> Co-authored-by: 34FathomBelow <34fathombelow@protonmail.com> Co-authored-by: Ashutosh <11219262+ashutosh16@users.noreply.github.com> Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com> Co-authored-by: Sahdev Zala <spzala@us.ibm.com> Co-authored-by: Snyk bot <snyk-bot@snyk.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Co-authored-by: Mohamed Iflan <55939511+iflan7744@users.noreply.github.com> Co-authored-by: iflan7744 <iflan_mohamed@yahoo.com> Co-authored-by: Yves Richard <yves@klaodlabs.com> Co-authored-by: my-git9 <xin.li@daocloud.io> Co-authored-by: Renaud Guérin <renaud@renaudguerin.net> Co-authored-by: reggie-k <reginakagan@gmail.com> Co-authored-by: Kerwood <patrick@kerwood.dk> Co-authored-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com> Co-authored-by: César M. Cristóbal <cesar@callepuzzle.com> Co-authored-by: Brandon High <highb@users.noreply.github.com> Co-authored-by: Tadayuki Onishi <tt.tanishi100@gmail.com> Co-authored-by: jsmcnair <john@jsmcnair.com> Co-authored-by: JesseBot <jessebot@linux.com> Co-authored-by: Xijun Dai <daixijun1990@gmail.com>
sujeilyfonseca
added a commit
to sujeilyfonseca/argo-cd
that referenced
this issue
Dec 15, 2022
* Merge pull request from GHSA-pmjg-52h9-72qv Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fixes from comments Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Merge pull request from GHSA-7943-82jg-wmw5 * add tests to demonstrate issue Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> docs Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> settings tests Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> tests for OIDC handlers, consolidating test helpers Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> consolidate Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> consolidate Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> docs Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * fix log message Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Bump version to 2.4.5 * Bump version to 2.4.5 * test: check for error messages from CI env (argoproj#9953) test: check for error messages from CI env (argoproj#9953) Signed-off-by: CI <michael@crenshaw.dev> * docs: getting started notes on self-signed cert (argoproj#9429) (argoproj#9784) * Fix argoproj#9429: A couple of notes in the docs to explain that the default certificate is insecure. Signed-off-by: Jim Talbut <jim.talbut@groupgti.com> * Fixes argoproj#9429: More verbose, but complete, text for Getting Started. Signed-off-by: Jim Talbut <jim.talbut@groupgti.com> * docs: Document the possibility of rendering Helm charts with Kustomize (argoproj#9841) * Update kustomize.md Resolves argoproj#7835. Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com> * Removed unnecessary command flag from example. Minor text edits. Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com> * spelling Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com> * docs: small fix for plugin stream filtering (argoproj#9871) Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * argoproj#9429: Adding blank line so list is formatted correctly. (argoproj#9880) Signed-off-by: CI <michael@crenshaw.dev> * fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) (argoproj#9821) * fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp> * Add submodule functions and unit tests Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp> * fix: Make change of tracking method work at runtime (argoproj#9820) * fix: Make change of tracking method work at runtime Signed-off-by: jannfis <jann@mistrust.net> * GetAppName() will figure tracking label or annotation on its own Signed-off-by: jannfis <jann@mistrust.net> * Correct test comments and add another test Signed-off-by: jannfis <jann@mistrust.net> * Add a read lock before getting cache settings Signed-off-by: jannfis <jann@mistrust.net> * fix: Check tracking annotation for being self-referencing (argoproj#9791) * fix: Check tracking annotation for being self-referencing Signed-off-by: jannfis <jann@mistrust.net> * Tweak isManagedLiveObj() logic Signed-off-by: jannfis <jann@mistrust.net> * Rename isManagedLiveResource to isSelfReferencedObj Signed-off-by: jannfis <jann@mistrust.net> * Add e2e test Signed-off-by: jannfis <jann@mistrust.net> * fix: add missing download CLI tool link for ppc64le, s390x (argoproj#9649) Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> * fix: NotAfter is not set when ValidFor is set (argoproj#9911) Signed-off-by: yongguangl <1363186473@qq.com> * fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (argoproj#9922) * fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * fix timeouts across all gRPC servers Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * use common consts Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * fix: argocd login just hangs on 2.4.0 argoproj#9679 (argoproj#9935) Signed-off-by: Xiao Yang <muma.378@163.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * test: Use dedicated multi-arch workloads in e2e tests (argoproj#9921) * test: Use dedicated multi-arch workloads in e2e tests Signed-off-by: jannfis <jann@mistrust.net> * Use correct tag Signed-off-by: jannfis <jann@mistrust.net> * feat: Treat connection reset as a retryable error (argoproj#9739) Signed-off-by: Yuan Tang <terrytangyuan@gmail.com> * fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) (argoproj#9895) * fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * make things more like they were originally, since the mutex fixes the problem Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * fix typo, don't pass around a pointer when it isn't necessary Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * docs: add terminal documentation (argoproj#9948) Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com> * docs: fix typo in Generators-Git.md (argoproj#9949) `ApplictionSet` --> `ApplicationSet` Signed-off-by: CI <michael@crenshaw.dev> * chore: fix build error Signed-off-by: CI <michael@crenshaw.dev> * Bump version to 2.4.6 * Bump version to 2.4.6 * docs: supported versions (argoproj#9876) * docs: supported versions Signed-off-by: Kostis Kapelonis <kostis@codefresh.io> * docs: supported versions feedback Signed-off-by: Kostis Kapelonis <kostis@codefresh.io> * fix: add missing download CLI tool URL response for ppc64le, s390x (argoproj#9983) Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> * fix: e2e test to use func from clusterauth instead creating one with old logic (argoproj#9989) Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * fix: updated all a tags to Link tags in app summary (argoproj#9777) * fix: updated all a tags to Link tags Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com> * fix: revert external links to a tags Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com> * fix: linting Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com> * docs: simplify Docker toolchain docs (argoproj#9966) (argoproj#10006) * docs: simplify Docker toolchain docs (argoproj#9966) Signed-off-by: CI <michael@crenshaw.dev> * to be or not to be Signed-off-by: CI <michael@crenshaw.dev> * pin dependencies to avoid absurdity Signed-off-by: CI <michael@crenshaw.dev> * docs: document directory app include/exclude fields (argoproj#9997) Signed-off-by: CI <michael@crenshaw.dev> * fix: terminal websocket write lock to avoid races (argoproj#10011) * fix: protect terminal WriteMessage with a lock Signed-off-by: CI <michael@crenshaw.dev> * give write its own lock Signed-off-by: CI <michael@crenshaw.dev> * docs: use quotes to emphasize that ConfigMap value is a string (argoproj#9995) Signed-off-by: CI <michael@crenshaw.dev> * Support files in argocd.argoproj.io/manifest-generate-paths annotation (argoproj#9908) Signed-off-by: Jim Wright <jmwri93@gmail.com> * chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (argoproj#9826) Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Bump version to 2.4.7 * Bump version to 2.4.7 * chore: update haproxy to 2.0.29 for redis-ha (argoproj#10045) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * chore: update redis to avoid CVE-2022-2097 (argoproj#10031) * chore: update redis to avoid CVE-2022-2097 Signed-off-by: CI <michael@crenshaw.dev> * codegen Signed-off-by: CI <michael@crenshaw.dev> * chore: upgrade Dex to 2.32.0 (argoproj#10036) (argoproj#10042) Signed-off-by: CI <michael@crenshaw.dev> * docs: add argocd-server grpc metric usage (argoproj#10007) Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com> Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com> Signed-off-by: CI <michael@crenshaw.dev> * chore: update redis to 7.0.4 avoid CVE-2022-30065 (argoproj#10059) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * fix: Set HOST_ARCH for yarn build from platform (argoproj#10018) Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> * docs: add api field example in the appset security doc (argoproj#10087) It seems like most of the work for the mentioned issue below is done under the PR argoproj#9466 but from the issue description, it's probably worth to mention the example as added here. Related argoproj#9352 Signed-off-by: Sahdev Zala <spzala@us.ibm.com> * chore: update parse-url (argoproj#10101) * chore: upgrade parse-url Signed-off-by: CI <michael@crenshaw.dev> * edit a generated file, because that's smart Signed-off-by: CI <michael@crenshaw.dev> * fix: avoid CVE-2022-28948 (argoproj#10093) Signed-off-by: CI <michael@crenshaw.dev> * docs: add OpenSSH breaking change notes (argoproj#10104) Signed-off-by: CI <michael@crenshaw.dev> * fix: skip redirect url validation when it's the base href (argoproj#10058) (argoproj#10116) * fix: skip redirect url validation when it's the base href (argoproj#10058) Signed-off-by: CI <michael@crenshaw.dev> nicer way of doing it Signed-off-by: CI <michael@crenshaw.dev> * fix missin arg Signed-off-by: CI <michael@crenshaw.dev> * fix: upgrade moment from 2.29.2 to 2.29.3 (argoproj#9330) Snyk has created this PR to upgrade moment from 2.29.2 to 2.29.3. See this package in npm: See this project in Snyk: https://app.snyk.io/org/argoproj/project/d2931792-eef9-4d7c-b9d6-c0cbd2bd4dbe?utm_source=github&utm_medium=referral&page=upgrade-pr Signed-off-by: CI <michael@crenshaw.dev> * chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (argoproj#9897) Bumps [moment](https://github.com/moment/moment) from 2.29.3 to 2.29.4. - [Release notes](https://github.com/moment/moment/releases) - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](moment/moment@2.29.3...2.29.4) Signed-off-by: CI <michael@crenshaw.dev> --- updated-dependencies: - dependency-name: moment dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: support multiple extensions per resource group/kind (argoproj#9834) * feat: support multiple extensions per resource group/kind Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * apply reviewers suggestions Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * apply reviewer notes: stream extension files one by one Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * wrap errors Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * skip symlinks Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * feat: support application level extensions (argoproj#9923) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * fix: extensions is not loading for ConfigMap/Pods (argoproj#10010) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * Bump version to 2.4.8 * Bump version to 2.4.8 * docs: Fixed indentation Error (argoproj#10123) * Fixed indentation Error Signed-off-by: iflan7744 <iflan_mohamed@yahoo.com> * Fixed indentation Error for top-level data key Signed-off-by: iflan7744 <iflan_mohamed@yahoo.com> Co-authored-by: iflan7744 <iflan_mohamed@yahoo.com> Signed-off-by: CI <michael@crenshaw.dev> * docs: fix kustomize namePrefix misconception in application.yaml (argoproj#10162) * Update docs/operator-manual/application.yaml - Removed comment about what namePrefix does. (i.e. it does not add a prefix to the image) - Added examples of other supported transformers. (based on looking at the source code) - Added link to the kustomize docs where the transormers are described in more detail. * Update kustomize casing to be consistent Signed-off-by: whyvez <yves@premise.com> * docs: improve Installation.md (argoproj#10173) Signed-off-by: xin.li <xin.li@daocloud.io> * docs: Use ConfigMap to disable TLS (argoproj#10106) * docs: Use ConfigMap to disable TLS Signed-off-by: Renaud Guerin <renaud@renaudguerin.net> * Fix typo Signed-off-by: Renaud Guerin <renaud@renaudguerin.net> * docs: correct the api field description for the GitLab example (argoproj#10081) The api field description for the GitLab example seems mistakenly copied from the GitHub example. Signed-off-by: Sahdev Zala <spzala@us.ibm.com> * fix: Ignore non-self-referencing resources while pruning (argoproj#10198) * fix: Ignore non-self-referencing resources while pruning Signed-off-by: jannfis <jann@mistrust.net> * fix: UI part for logs RBAC - do not display the logs tab when no RBAC in place (argoproj#7211) (argoproj#9828) * show logs tab only upon explicit rbac allow policy Signed-off-by: reggie-k <reginakagan@gmail.com> * 2.4.7 docs edit Signed-off-by: reggie-k <reginakagan@gmail.com> * fix: Drop all references to exec unless the feature is enabled (argoproj#9920) (argoproj#10187) * fix: Drop all references to exec unless the feature is enabled argoproj#9920 Signed-off-by: Patrick Kerwood <patrick@kerwood.dk> * fixed tslint issues Signed-off-by: Patrick Kerwood <patrick@kerwood.dk> * docs(applicationset): fix layout matrix/merge generator restrictions (argoproj#10246) Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com> * docs: fix microsoft user management mapping role (argoproj#10251) Signed-off-by: CI <michael@crenshaw.dev> * docs: Document ignoreAggregatedRoles setting (argoproj#10206) Signed-off-by: Brandon High <highb@users.noreply.github.com> * docs: fix version reference for logs UI fix (argoproj#10245) Signed-off-by: CI <michael@crenshaw.dev> * Bump version to 2.4.9 * Bump version to 2.4.9 * docs: clusterResources in declarative cluster config (argoproj#10219) * docs: clusterResources in declarative cluster config Signed-off-by: CI <michael@crenshaw.dev> * add article Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) (argoproj#10287) * fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) Signed-off-by: CI <michael@crenshaw.dev> * remove duplicate line Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * fix: Suppressed ssh scheme url warn log (argoproj#9836) * Fixed ssh scheme warn log degrade by argoproj#8508 Signed-off-by: kenchan0130 <tt.tanishi100@gmail.com> * Expanded repository type getCAPath testing Signed-off-by: kenchan0130 <tt.tanishi100@gmail.com> * docs: Document safe concurrent processing of sidecar CMP (argoproj#10336) Signed-off-by: jsmcnair <john.mcnair@yellowdog.co> Signed-off-by: jsmcnair <john.mcnair@yellowdog.co> * docs: Add "Create Namespace" to sync options doc (argoproj#3490) (argoproj#10326) * Add create namespace to the sync options doc Signed-off-by: JesseBot <jessebot@linux.com> * Update docs/user-guide/sync-options.md Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: JesseBot <jessebot@linux.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> * fix: missing actions (argoproj#10327) (argoproj#10359) Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * Bump version to 2.4.10 * Bump version to 2.4.10 * docs: fix typo in upgrade notes (argoproj#10377) Signed-off-by: Xijun Dai <daixijun1990@gmail.com> Signed-off-by: Xijun Dai <daixijun1990@gmail.com> * fix: Correctly assume cluster-scoped resources to be self-referenced (argoproj#10390) Signed-off-by: jannfis <jann@mistrust.net> Signed-off-by: jannfis <jann@mistrust.net> * Pin gitops-engine to v0.7.3 Signed-off-by: jannfis <jann@mistrust.net> * Bump version to 2.4.11 * Bump version to 2.4.11 * fix: invalid error handling (argoproj#10384) (argoproj#10385) os.IsNotExist only supports errors returned by the os package Signed-off-by: mikutas <23391543+mikutas@users.noreply.github.com> Signed-off-by: mikutas <23391543+mikutas@users.noreply.github.com> * fix: appset controller should preserve argocd refresh annotation (argoproj#10510) Signed-off-by: Jesse Suen <jesse@akuity.io> Signed-off-by: Jesse Suen <jesse@akuity.io> * fix: Added mock for gitea response in appset PR,SCM generator (argoproj#9400) * fix: Added mock for gitea response Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * applied reviewers comment Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * test: fix flaky gitea tests (argoproj#10354) * test: fix flaky gitea tests Signed-off-by: CI <michael@crenshaw.dev> * embed test data Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: CI <michael@crenshaw.dev> * fix: added github and gitlab response mock and replaced external calls (argoproj#9305) * Added mock for gitlab and github for Unit test Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * Added missing mock endpoint Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * removed println and aserted for 1 master branch Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * removed auth header assertion Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * procfile to run binaries instead go run Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * procfile to run binaries instead go run Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * reverted unintentional testdata change Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * Added test for branch do not exists Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> * fix: hide terminal on the non-pod resource kind (argoproj#9980) (argoproj#10556) Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> * docs: remove duplicate word in user-management doc (argoproj#10546) Signed-off-by: Mickaël Canévet <mickael.canevet@jellysmack.com> Signed-off-by: Mickaël Canévet <mickael.canevet@jellysmack.com> * fix: update deploymentConfig's healthcheck to wait for replicationController to be Available (argoproj#10462) * update deploymentConfig's healthcheck to wait for replicationController to be available Signed-off-by: Roncajolo Gerald <groncajolo@softwaymedical.fr> * Add Softway Medical to users Signed-off-by: Roncajolo Gerald <groncajolo@softwaymedical.fr> Signed-off-by: Roncajolo Gerald <groncajolo@softwaymedical.fr> * docs: Fix Broken Link in Getting Started Docs (argoproj#10585) * Fix Broken Link Signed-off-by: Greg Knoblauch <knoblauch.greg@gmail.com> * Update docs/getting_started.md Co-authored-by: asingh <11219262+ashutosh16@users.noreply.github.com> Signed-off-by: Greg Knoblauch <knoblauch.greg@gmail.com> Signed-off-by: Greg Knoblauch <knoblauch.greg@gmail.com> Co-authored-by: asingh <11219262+ashutosh16@users.noreply.github.com> * docs: update description of policy.csv example in rbac.md (argoproj#10565) Signed-off-by: Minchao <minchao.220@gmail.com> Signed-off-by: Minchao <minchao.220@gmail.com> * fix: add skip-test-tls flag to optionally skip testing for tls (argoproj#9679) (argoproj#10484) * feat: add skip-test-tls flag to optionally skip testing for tls, fixes argoproj#9679 Signed-off-by: msvechla <m.svechla@gmail.com> * docs: update cli documentation Signed-off-by: msvechla <m.svechla@gmail.com> Signed-off-by: msvechla <m.svechla@gmail.com> * docs: decision about logs RBAC enforcement in release notes for 2.4 (argoproj#10564) Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * Bump version to 2.4.12 * Bump version to 2.4.12 * docs: Changes for v2.4.12 Updated the CHANGES.md to represent what changes the pull request will introduce. Contributes to: automation-saas/native-AWS#2523 Signed-off-by: Sujeily Fonseca <sujeily.fonseca@ibm.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Co-authored-by: argo-bot <argoproj@gmail.com> Co-authored-by: YaytayAtWork <jim.talbut@groupgti.com> Co-authored-by: Didrik Finnøy <djfinnoy@protonmail.com> Co-authored-by: Jake <86763948+notfromstatefarm@users.noreply.github.com> Co-authored-by: Shunki <75064402+shunki-fujita@users.noreply.github.com> Co-authored-by: jannfis <jann@mistrust.net> Co-authored-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr> Co-authored-by: yongguangl <1363186473@qq.com> Co-authored-by: Xiao Yang <muma.378@163.com> Co-authored-by: Yuan Tang <terrytangyuan@gmail.com> Co-authored-by: taksenov <TAksenov@users.noreply.github.com> Co-authored-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com> Co-authored-by: rishabh625 <43094970+rishabh625@users.noreply.github.com> Co-authored-by: Soumya Ghosh Dastidar <44349253+gdsoumya@users.noreply.github.com> Co-authored-by: Jim Wright <jmwri@users.noreply.github.com> Co-authored-by: 34FathomBelow <34fathombelow@protonmail.com> Co-authored-by: Ashutosh <11219262+ashutosh16@users.noreply.github.com> Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com> Co-authored-by: Sahdev Zala <spzala@us.ibm.com> Co-authored-by: Snyk bot <snyk-bot@snyk.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Co-authored-by: Mohamed Iflan <55939511+iflan7744@users.noreply.github.com> Co-authored-by: iflan7744 <iflan_mohamed@yahoo.com> Co-authored-by: Yves Richard <yves@klaodlabs.com> Co-authored-by: my-git9 <xin.li@daocloud.io> Co-authored-by: Renaud Guérin <renaud@renaudguerin.net> Co-authored-by: reggie-k <reginakagan@gmail.com> Co-authored-by: Kerwood <patrick@kerwood.dk> Co-authored-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com> Co-authored-by: César M. Cristóbal <cesar@callepuzzle.com> Co-authored-by: Brandon High <highb@users.noreply.github.com> Co-authored-by: Tadayuki Onishi <tt.tanishi100@gmail.com> Co-authored-by: jsmcnair <john@jsmcnair.com> Co-authored-by: JesseBot <jessebot@linux.com> Co-authored-by: Xijun Dai <daixijun1990@gmail.com> Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jesse Suen <jessesuen@users.noreply.github.com> Co-authored-by: Mickaël Canévet <mickael.canevet@jellysmack.com> Co-authored-by: Gerald Roncajolo <grc@necol.org> Co-authored-by: Greg Knoblauch <knoblauch.greg@gmail.com> Co-authored-by: Minchao <minchao.220@gmail.com> Co-authored-by: msvechla <m.svechla@gmail.com>
|
I believe this was implemented |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Need to disable the access to pod logs in the UI / cli for some users
Motivation
Security considerations. Operators of the deployments are sometimes not allowed to see the pod logs, which possibly contain sensitive business data.
Proposal
RBAC based approach to pod logs, API enforced.
Something like the following project policy may be appropriate:
"- p, proj:my-project:log-viewer, log, get, my-project/*, allow"
From 18.11 Meeting notes:
Migration requires work for those who use project RBAC extensively
Transitionary release that doesn’t break logs by default?
Also discussed here:
#7686
The text was updated successfully, but these errors were encountered: