New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Deny destinations" for Projects #9464
Comments
Just to push this, this is tremendously important for us, since we want our users to be able to deploy what they want, but to not mess around with the namespace where our landscape apps are running. Is there any way around this with the current versions? Thanks |
Hello, |
I also really need this feature |
This is a feature that I would also need very much. Thank you! |
@thomassandslyst what do you think of the |
IMO I think that having the |
I also really need this feature |
This adds the ability to selectively deny destinations, by prefixing either its `namespace` or `server` with a `!`. Closes argoproj#9464. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Hello. |
Hello, |
Need some final approvals on #9652 for that to happen 😄 |
This will be in 2.5 (~mid-August). Thank you @blakepettersson! |
Summary
Currently projects can have a list of destinations to the namespaces and clusters they can deploy to, but there is nothing to say "You can deploy anywhere except...".
Motivation
We have a few general use projects that all our deployments go into currently. We've now got a demand to make a protected area but ArgoCD's projects model doesn't allow you to specify where you can't deploy, and given that ArgoCD has cluster admin anyone can make a deployment in the normal project which deploys to a protected namespace.
Proposal
Support glob-style strings for the destinations
namespace
andserver
elements with the ability to deny it by prefixing with "!". This is used quite well in Serverless's patterns.If there are only "allow" destinations then it would default to deny-everything-else.
If there are only "deny" destinations then it would default to allow-everything-else.
The text was updated successfully, but these errors were encountered: