exec.enabled RBAC to pod name regex / namespace

[tooptoop4]

my understanding of current RBAC is that if we enable exec into pods can only filter at appproject/group level. i would also like to filter to specific pod name pattern. that way can ensure only only a pod with limited tools installed on it can be used

[andrii-korotkov-verkada]

Not sure we can support a wildcard, since it can allow unintended broad permissions. For example, suppose you have deployments prefix and prefix-suffix. If you allow a wildcard for pod names like prefix*, the later one would also be allowed. Note, that the later deployment can even belong to a different app. We can try to come up with something based on the deployment/rollout name.

However, I want to better understand the need for this. An ability to exec into pods is a pretty strong thing. If you have pods you wanna deny exec to, but allow for others, this seems like a use case for some cluster-critical resources, which probably should belong to a different app and maybe a different namespace. https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#the-exec-resource. Please, share the use case details.