argo-cd
argo-cd copied to clipboard
Enable logs RBAC enforcement by default
Summary
In 2.4 we introduced new RBAC for logs. In 2.5, we should enable that enforcement by default as promised in the 2.3 -> 2.4 upgrade guide.
Motivation
We said we'd do it. :-)
Proposal
Set the flag to true by default, and add a note to the 2.4 -> 2.5 upgrade notes.
I think we should save this for 3.0.
Project-scoped roles can currently only hold RBAC for the applications
resource. So this change would break logs for anyone who relies on a Project-scoped role implicitly granting logs access via applications, get
.
I know that this is not enabled by default in 2.x, but after upgrading to argo-helm 5.8.7
, I had to explicitly add p, role:admin, logs, get, */*, allow
for the admin user to re-enable the logs.
Shouldn't this be added also to the admin by default?