You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When deploying Argo CD using the helm chart, enabling cluster roles for the Argo CD server results in the server obtaining extensive permissions due to the broadly defined ClusterRole. This broad permission set can be a concern in environments where security policies require minimum necessary permissions. Moreover, if there's a need to reduce the cluster role permissions for the application controller, it becomes challenging to reconcile and adjust the permissions for the server's ClusterRole accordingly.
The concern is primarily around the default ClusterRole permissions which are as follows:
An option to override or customize the ClusterRole permissions for the Argo CD server would provide flexibility to adjust permissions in line with organizational security policies. A values.yaml entry to specify custom resource permissions or completely override the default cluster role would be desirable.
For example, introducing .Values.server.clusterRole.rules could allow users to specify their own sets of permissions directly in the values.yaml file.
As a workaround, manually editing the ClusterRole after deployment is possible but not ideal as it interferes with GitOps principles and requires additional operational steps that could potentially be automatable.
Additional context
This feature request aims to increase the security adaptability of the Argo CD helm chart for use in various environments with different security postures. Being able to fine-tune permissions would enhance its usability and safety.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem?
When deploying Argo CD using the helm chart, enabling cluster roles for the Argo CD server results in the server obtaining extensive permissions due to the broadly defined ClusterRole. This broad permission set can be a concern in environments where security policies require minimum necessary permissions. Moreover, if there's a need to reduce the cluster role permissions for the application controller, it becomes challenging to reconcile and adjust the permissions for the server's ClusterRole accordingly.
The concern is primarily around the default ClusterRole permissions which are as follows:
Related helm chart
argo-cd
Describe the solution you'd like
An option to override or customize the ClusterRole permissions for the Argo CD server would provide flexibility to adjust permissions in line with organizational security policies. A
values.yaml
entry to specify custom resource permissions or completely override the default cluster role would be desirable.For example, introducing
.Values.server.clusterRole.rules
could allow users to specify their own sets of permissions directly in thevalues.yaml
file.Describe alternatives you've considered
As a workaround, manually editing the ClusterRole after deployment is possible but not ideal as it interferes with GitOps principles and requires additional operational steps that could potentially be automatable.
Additional context
This feature request aims to increase the security adaptability of the Argo CD helm chart for use in various environments with different security postures. Being able to fine-tune permissions would enhance its usability and safety.
The text was updated successfully, but these errors were encountered: