argo-helm
argo-helm copied to clipboard
Delete permissions for argocd server clusterrole
Describe the bug
See https://github.com/argoproj/argo-helm/blob/cabe63d2b65ef6708567c249e676fce069815b6d/charts/argo-cd/templates/argocd-server/clusterrole.yaml#L15
argo-cd server has delete permissions on all resources, and there is no way to overrule this with the "clusterRoleRules.rules" setting, as is available for e.g. notifications.
It cannot even create (only get and patch), yet it can delete anything? Even patch seems more than needed (given https://github.com/argoproj/argo-helm/issues/61).
Also mentioned in https://github.com/argoproj/argo-helm/pull/62.
If the service account for argocd server is compromised, then all resources cluster wide can be deleted.
Related helm chart
argo-cd
Helm chart version
main
To Reproduce
Check https://github.com/argoproj/argo-helm/blob/cabe63d2b65ef6708567c249e676fce069815b6d/charts/argo-cd/templates/argocd-server/clusterrole.yaml#L15
Expected behavior
Possibility to specify limited set of resources in custom rules.
Screenshots
No response
Additional context
No response
Hi @mdraijer
It cannot even create (only get and patch), yet it can delete anything? Even patch seems more than needed.
It's reasonable to specify the target of permission but it'll be appreciate it if you investigate which targets are enough and patch to upstream because argo-helm follows upstream's manifest.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.