Jann Fischer
Jann Fischer
Hi there, I'm just trying to get started with fuzz-testing a project I maintain. However, I hit the very same issue when trying to run `go-fuzz-build` on a package I...
On this note, I think a real improvement would be to refactor this code to use https://github.com/argoproj/argo-cd/blob/7bd9e1eb83df515f1f558b2a524ffb5f8b2e935a/util/cli/cli.go#L115 :)
> So I could go with the idea that if I find an allow, then I will allow the action. But then I can have policies like below which will...
I think it would be a bad policy to deny `https://kubernetes.default.svc` but allow `in-cluster` (or vice versa). So can we safely assume the following? ```go errSrv := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionGet,...
`deny` rules won't override an existing `allow` rule with our current RBAC model. This is what I was trying to say in https://github.com/argoproj/argo-cd/issues/4712#issuecomment-724176472
So the `require.NoError(t, err)` does fail? That is weird. I just tested the following policy with two apps in the cluster, `guestbook` and `guestbook2` (`policy.default` is set to empty) ```...
Sorry, my fault. I used wrong format for the policy. Please ignore everything I wrote about allow/deny.
> Curious about how this affects other resources (when declared outside of the control plane namespace): > * AppProject - Suppose I created a namespace per environment, could I have...
> I would expect namespaced AppProjects to have similar restrictions to namespaced apps. i.e., they can only be assigned to applications in the same namespace, can only access secrets from...
@crenshaw-dev Thanks for the review! I have addressed almost all of your comments. For the RBAC change (which has not yet been made), I was twisting my head. I see...