This is reproducible by adding a unit test to types_test.go.
Expected behavior
I would expect the denial to take the namespace into consideration. For me the "any allow permits and no deny rejects" semantics are hard to reason about. It seems like this check should be a simple "if any rule matches", although this would be a breaking change with security implications.
After giving this a bit of thought, this could be made more intuitive. I'll need to revisit the code and see if this can be enhanced without risking any breaking changes.
Checklist:
argocd version
.Describe the bug
Project destinations:
An app in this project trying to deploy to
https://test-server
in namespacetest
will be denied.The logic in https://github.com/argoproj/argo-cd/blob/master/pkg/apis/application/v1alpha1/app_project_types.go#L474 denies if the server is in any deny destination regardless of the namespace.
To Reproduce
This is reproducible by adding a unit test to types_test.go.
Expected behavior
I would expect the denial to take the namespace into consideration. For me the "any allow permits and no deny rejects" semantics are hard to reason about. It seems like this check should be a simple "if any rule matches", although this would be a breaking change with security implications.
Screenshots
Version
Logs