Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Deny destinations" for Projects #9464

Closed
thomassandslyst opened this issue May 20, 2022 · 11 comments · Fixed by #9652
Closed

"Deny destinations" for Projects #9464

thomassandslyst opened this issue May 20, 2022 · 11 comments · Fixed by #9652
Labels
enhancement New feature or request security Security related

Comments

@thomassandslyst
Copy link

thomassandslyst commented May 20, 2022
edited

Summary

Currently projects can have a list of destinations to the namespaces and clusters they can deploy to, but there is nothing to say "You can deploy anywhere except...".

Motivation

We have a few general use projects that all our deployments go into currently. We've now got a demand to make a protected area but ArgoCD's projects model doesn't allow you to specify where you can't deploy, and given that ArgoCD has cluster admin anyone can make a deployment in the normal project which deploys to a protected namespace.

Proposal

Support glob-style strings for the destinations namespace and server elements with the ability to deny it by prefixing with "!". This is used quite well in Serverless's patterns.
If there are only "allow" destinations then it would default to deny-everything-else.
If there are only "deny" destinations then it would default to allow-everything-else.
@thomassandslyst thomassandslyst added the enhancement New feature or request label May 20, 2022
@crenshaw-dev crenshaw-dev added the security Security related label May 23, 2022
@flaviomoringa
Copy link

Just to push this, this is tremendously important for us, since we want our users to be able to deploy what they want, but to not mess around with the namespace where our landscape apps are running.

Is there any way around this with the current versions?

Thanks

@ricardojdsilva87
Copy link

Hello,
Just to add some information. The deny to namespace for example would need to be done in argo side, meaning that we could not use the roles, rolebinding, clusterrolebinding settings for kubernetes like it's being done right now, because the kubernetes API can used to only allow access to the resources and does not support regex patterns or the deny.
This limits the actions on argocd side since if we allow the deploy to just 1 namespace it will limit the user to create new namespaces and if we deny access to create certain API resources (pods, deployments, ingresses) it will be denied to all namespaces.
This would be a great feature to argo!
Thanks

@ricmano
Copy link

ricmano commented Jun 9, 2022

I also really need this feature

@tzeappa
Copy link

tzeappa commented Jun 9, 2022

This is a feature that I would also need very much. Thank you!

@crenshaw-dev crenshaw-dev mentioned this issue Jun 13, 2022
Closed
@crenshaw-dev
Copy link
Collaborator

@thomassandslyst what do you think of the !exclude pattern in the destinations field vs. a namespace field in the resource deny-list? #9047

@blakepettersson blakepettersson mentioned this issue Jun 14, 2022
Merged
9 tasks
@blakepettersson
Copy link
Member

blakepettersson commented Jun 14, 2022
edited

IMO I think that having the !exclude pattern is more extendable; we could extend this pattern elsewhere to e.g. exclude sources.

@TiaguPinto
Copy link

I also really need this feature

blakepettersson added a commit to blakepettersson/argo-cd that referenced this issue Jul 6, 2022
@blakepettersson
feat: add deny destinations for projects (argoproj#9464)
945fda9 
This adds the ability to selectively deny destinations, by prefixing
either its `namespace` or `server` with a `!`. Closes argoproj#9464.

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@mvlbarcelos
Copy link

Hello.
Would be amazing this feature.

@alfredo-gil
Copy link

Hello,
It would be great to have this feature!

@blakepettersson
Copy link
Member

Need some final approvals on #9652 for that to happen 😄

jannfis pushed a commit that referenced this issue Jul 29, 2022
@blakepettersson
feat: add deny destinations for projects (#9464) (#9652)
470176b 
This adds the ability to selectively deny destinations, by prefixing
either its `namespace` or `server` with a `!`. Closes #9464.

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@crenshaw-dev
Copy link
Collaborator

This will be in 2.5 (~mid-August). Thank you @blakepettersson!

@flaviomoringa flaviomoringa mentioned this issue Oct 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add deny destinations for projects (#9464) blakepettersson/argo-cd
10 participants
@mvlbarcelos @crenshaw-dev @blakepettersson @flaviomoringa @tzeappa @ricardojdsilva87 @ricmano @TiaguPinto @thomassandslyst @alfredo-gil