Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Support for Overriding Argo CD Server ClusterRole Permissions #2605

Closed
edmondshtogu opened this issue Mar 25, 2024 · 0 comments · Fixed by #2606
Closed

Enhancement: Support for Overriding Argo CD Server ClusterRole Permissions #2605

edmondshtogu opened this issue Mar 25, 2024 · 0 comments · Fixed by #2606
Labels
argo-cd enhancement

Comments

@edmondshtogu
Copy link
Contributor

Is your feature request related to a problem?

When deploying Argo CD using the helm chart, enabling cluster roles for the Argo CD server results in the server obtaining extensive permissions due to the broadly defined ClusterRole. This broad permission set can be a concern in environments where security policies require minimum necessary permissions. Moreover, if there's a need to reduce the cluster role permissions for the application controller, it becomes challenging to reconcile and adjust the permissions for the server's ClusterRole accordingly.

The concern is primarily around the default ClusterRole permissions which are as follows:

{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "argo-cd.server.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - delete
      - get
      - patch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - list
      {{- if (index .Values.configs.params "application.namespaces") }}
      - create
      {{- end }}
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/log
    verbs:
      - get
  {{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }}
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create
  {{- end }}
  - apiGroups:
      - argoproj.io
    resources:
      - applications
      - applicationsets
    verbs:
      - get
      - list
      - update
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
{{- end }}

Related helm chart

argo-cd

Describe the solution you'd like

An option to override or customize the ClusterRole permissions for the Argo CD server would provide flexibility to adjust permissions in line with organizational security policies. A values.yaml entry to specify custom resource permissions or completely override the default cluster role would be desirable.

For example, introducing .Values.server.clusterRole.rules could allow users to specify their own sets of permissions directly in the values.yaml file.

{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "argo-cd.server.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
  {{- if .Values.server.clusterRoleRules.enabled }}
    {{- toYaml .Values.server.clusterRoleRules.rules | nindent 2 }}
  {{- else }}
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - delete
      - get
      - patch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - list
      {{- if (index .Values.configs.params "application.namespaces") }}
      - create
      {{- end }}
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/log
    verbs:
      - get
  {{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }}
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create
  {{- end }}
  - apiGroups:
      - argoproj.io
    resources:
      - applications
      - applicationsets
    verbs:
      - get
      - list
      - update
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
  {{- end }}
{{- end }}

Describe alternatives you've considered

As a workaround, manually editing the ClusterRole after deployment is possible but not ideal as it interferes with GitOps principles and requires additional operational steps that could potentially be automatable.

Additional context

This feature request aims to increase the security adaptability of the Argo CD helm chart for use in various environments with different security postures. Being able to fine-tune permissions would enhance its usability and safety.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
argo-cd enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(argo-cd): enabled server cluster role permissions overriding edmondshtogu/argo-helm
2 participants
@mkilchhofer @edmondshtogu