search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.59k stars 5.36k forks source link

Allow restricting branches permitted for manual sync #10439

Open akloss-cibo opened 2 years ago

akloss-cibo commented 2 years ago

Summary

When manually sync'ing an Application, ArgoCD permits the user to specify an arbitrary branch to use for the sources. This makes controlling the resources difficult. It would be lovely to be able to restrict the branches that can be synced to a specific list.

Motivation

Preventing a single individual from being able to create arbitrary resources in a cluster is desirable from a security and audit perspective.

Proposal

As discussed in Slack having an extra setting in the sync section of the Application would suit my needs but there's some preference to configure this into the AppProject instead, which seems fine.

alejandrolr commented 2 years ago

+1, very useful feature. Any update?

akloss-cibo commented 2 years ago

FYI, I have worked around this by enabling automatic synchronization on everything in environments that are sensitive.

wy100101 commented 6 months ago

Any movement here. This is kind of unfortunate that I have to use auto sync to meet compliance requirements because sync permission actually allows me to change the branch.