search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.27k stars 5.24k forks source link

Add hash validation support for the clusterResourceWhitelist #18821

Open saltbo opened 2 months ago

saltbo commented 2 months ago

Summary

Add hash validation support for the clusterResourceWhitelist

Motivation

As a platform manager, we hope that all cluster-level resources deployed to a cluster will be reviewed by the platform. We found that argocd provides clusterResourceWhitelist for basic verification. But we want to support checkings based on names #12208 and hashes.

I know we can use the Admission Webhook to check, but we have too many clusters, deploying it to hundreds of clusters and ensuring the distribution of verification data is difficult.

Proposal

clusterResourceWhitelist:
  - group: rbac.authorization.k8s.io
    kind: ClusterRole
    resourceNames:
      - xxx-manager
    resourceHashes:
      - 0a4d55a8d778e5022fab701977c5d840bbc486d0
      - cd1144e1b687f6d586c215f09ddd1a67a8f1c0f3

Through this capability, we can allow users to submit cluster resources that need to be deployed to the platform. When the platform administrator approves the review, the platform automatically sets the hash value of the resource to the project to which it belongs.

agaudreault commented 2 months ago

Hi @saltbo, it would seem like this proposal is specifically written to integrate with your internal platform.

the platform automatically sets the hash value of the resource to the project to which it belongs.

Is that process done by an open-source tool? The resourceHashes does not seem to be a standard kubernetes field. If by the project to which it belongs you mean the Argo AppProject, how is that hash generated?

saltbo commented 2 months ago

Hi @agaudreault, thanks for your reply.

It's not only for our internal platform, it's a universal solution. We just need to provide a consistent hash function for the K8s resource.

I don't know if there is a similar tool, it would be better if there were. My initial idea is that as long as the file formats are consistent, the hash values can be consistent. We format it the same way and hash it the same way (such as using the sha1 algorithm), so we can get a consistent hash value.