argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Enable logs RBAC enforcement by default

Open crenshaw-dev opened this issue 1 year ago • 1 comments

Summary

In 2.4 we introduced new RBAC for logs. In 2.5, we should enable that enforcement by default as promised in the 2.3 -> 2.4 upgrade guide.

Motivation

We said we'd do it. :-)

Proposal

Set the flag to true by default, and add a note to the 2.4 -> 2.5 upgrade notes.

crenshaw-dev avatar Sep 08 '22 13:09 crenshaw-dev

I think we should save this for 3.0.

Project-scoped roles can currently only hold RBAC for the applications resource. So this change would break logs for anyone who relies on a Project-scoped role implicitly granting logs access via applications, get.

crenshaw-dev avatar Sep 09 '22 18:09 crenshaw-dev

I know that this is not enabled by default in 2.x, but after upgrading to argo-helm 5.8.7, I had to explicitly add p, role:admin, logs, get, */*, allow for the admin user to re-enable the logs.

Shouldn't this be added also to the admin by default?

niqdev avatar Oct 30 '22 16:10 niqdev