Can't set a RBAC policy on "creation of ApplicationSet in a specific AppProject"

behniafb commented 7 months ago

Checklist:

[x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
[x] I've included steps to reproduce the bug.
[x] I've pasted the output of argocd version.

Describe the bug What I have now:

An AppProject called platform which it's config is as below:

---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: platform
spec:
description: DevOps team deployments (Including Cluster admins)
sourceRepos:
- https://git.behnia.com/devops/*
sourceNamespaces:
- platform*
destinations:
- namespace: platform*
  server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: '*'
  kind: '*'
namespaceResourceWhitelist:
- group: '*'
  kind: '*'
roles:
- name: admins
  description:  Platform Admin role
  policies:
    - p, proj:platform:admins, applications, create, platform/*, allow
    - p, proj:platform:admins, applications, delete, platform/*, allow
    - p, proj:platform:admins, applications, get, platform/*, allow
    - p, proj:platform:admins, applications, override, platform/*, allow
    - p, proj:platform:admins, applications, sync, platform/*, allow
    - p, proj:platform:admins, applications, update, platform/*, allow
    - p, proj:platform:admins, applications, action/*, platform/*, allow

    - p, proj:platform:admins, applicationsets, get, platform/*, allow
    - p, proj:platform:admins, applicationsets, create, platform/*, allow
    - p, proj:platform:admins, applicationsets, update, platform/*, allow
    - p, proj:platform:admins, applicationsets, delete, platform/*, allow

    - p, proj:platform:admins, logs, get, platform/*, allow
    - p, proj:platform:admins, exec, create, platform/*, allow

    - p, proj:platform:admins, projects, get, platform, allow

    - p, proj:platform:admins, repositories, get, platform/*, allow
    - p, proj:platform:admins, repositories, create, platform/*, allow
    - p, proj:platform:admins, repositories, update, platform/*, allow
    - p, proj:platform:admins, repositories, delete, platform/*, allow
  groups:
    - person1
    - person2
    - behnia.f
- name: platform-readonly
  description: Platform Readonly role
  policies:
    - p, proj:platform:readonly, applications, get, platform/*, allow
    - p, proj:platform:readonly, logs, get, platform/*, allow
    - p, proj:platform:readonly, repositories, get, platform/*, allow
  groups:
    - person3
    - person4
- name: platform-edit
  description: Edit role for platform 
  policies:
    - p, proj:platform:platform-edit, applications, get, platform/*, allow
    - p, proj:platform:platform-edit, applications, sync, platform/*, allow
    - p, proj:platform:platform-edit, applications, actions/*, platform/*, allow
    - p, proj:platform:platform-edit, logs, get, platform/*, allow
    - p, proj:platform:platform-edit, repositories, get, platform/*, allow

Now I want to add a new policy, for admins to be able to edit their project (which is platform). So I guess this should be the policy:

p, proj:platform:admins, projects, update, platform, allow

But when I apply this new config & try to update the platform project, it gives me this error on the UI:

Unable to edit project: invalid policy rule 'p, proj:platform:admins, applicationsets, get, platform/*, allow': project resource must be: 'applications', 'repositories' or 'clusters', not 'applicationsets'

To Reproduce I've put the reproduce steps above.

Expected behavior Be able to edit the platform project. Also, why I get an error which is related to something else from what I edited?! (I added a new policy for project, and the error is for applicationsets !)

Version

2.10.6

bpoliquin-nv commented 2 months ago

+1 we are also seeing this issue.

applicationsets as well as using projects in policies defined in AppProject throw the error.

Unable to update project: invalid policy rule 'p, proj:proj_name:read-write, projects, get, proj_name, allow': project resource must be: 'applications', 'repositories' or 'clusters', not 'projects'

andrii-korotkov-verkada commented 2 weeks ago

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and tell us if the issue is still present, please?

argoproj / argo-cd

Can't set a RBAC policy on "creation of ApplicationSet in a specific AppProject" #18014