Delete permissions for argocd server clusterrole

[mdraijer]

Describe the bug

See https://github.com/argoproj/argo-helm/blob/cabe63d2b65ef6708567c249e676fce069815b6d/charts/argo-cd/templates/argocd-server/clusterrole.yaml#L15

argo-cd server has delete permissions on all resources, and there is no way to overrule this with the "clusterRoleRules.rules" setting, as is available for e.g. notifications.

It cannot even create (only get and patch), yet it can delete anything? Even patch seems more than needed (given https://github.com/argoproj/argo-helm/issues/61).

Also mentioned in https://github.com/argoproj/argo-helm/pull/62.

If the service account for argocd server is compromised, then all resources cluster wide can be deleted.

Related helm chart

argo-cd

Helm chart version

main

To Reproduce

Check https://github.com/argoproj/argo-helm/blob/cabe63d2b65ef6708567c249e676fce069815b6d/charts/argo-cd/templates/argocd-server/clusterrole.yaml#L15

Expected behavior

Possibility to specify limited set of resources in custom rules.

Screenshots

No response

Additional context

No response

[yu-croco]

Hi @mdraijer

It cannot even create (only get and patch), yet it can delete anything? Even patch seems more than needed.

It's reasonable to specify the target of permission but it'll be appreciate it if you investigate which targets are enough and patch to upstream because argo-helm follows upstream's manifest.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.