search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.04k stars 5.51k forks source link

Support "filters" in Project allow/deny lists #7636

Open alexmt opened 3 years ago

alexmt commented 3 years ago

Summary

Project allow/deny lists allows restricting resource group/kinds managed by the applications in the project. In addition to group/kinds admin should be able to specify resource level "filter" that allows filtering individual resources.

Motivation

The allow/deny filters are required to solve the following use case:

The platform team provides Argo CD as a service to manage "addons" in multiple clusters. The end users are supposed to install custom resource definitions. Platform team wants to make sure end users won't override accidentally pre-installed custom resource definitions in the cluster

Proposal

Add filter field to the list item definition. The filter field can have jq expression that is used by Argo CD to check permission to manage particular resource.

clusterResourceWhitelist:
  - group: extensions
    kind: CustomResourceDefinition
    filters:
      - jq: (.spec.names.group == "argoproj.io") and .spec.names.kind == "Rollout"
jessesuen commented 3 years ago

Some comments I raised from the contributors meeting today:

  1. I was questioning the choice and syntax of using jq expressions as the mechanism to validate and to see if there was something more explicit or idiomatic Kubernetes YAML based (e.g. like Kyverno).

After looking at Kyverno syntax, I feel it will be too verbose for what we are trying to do: https://kyverno.io/docs/writing-policies/validate/

We are attempting to do something lighter weight, syntactically tight, and flexible so I think jq expressions will work great for this purpose.

  1. @crenshaw-dev had suggested this be a list instead of a single item. We agreed that a list with AND semantics would be an improvement than a single validator.

  2. I didn't bring this up in the meeting, but I think we should use the term validation instead of filters, since we are essentially performing validation and denying the sync operation, not filtering resources.

clusterResourceWhitelist:
 - group: extensions
    kind: CustomResourceDefinition
    validation:
    - jq: (.spec.names.group == "argoproj.io") and .spec.names.kind == "Rollout"
zbialik commented 2 years ago

would love to see this for namespaceResourceBlacklist, as well

jcogilvie commented 1 year ago

Adding a use case to this as referred by @crenshaw-dev.

When I deploy my Application inside a project, the helm stack that it deploys expects to write:

Currently, I have to configure this with both namespaces as destinations for the project:

    destination {
      server    = "https://kubernetes.default.svc"
      namespace = var.namespace
    }

    # TODO:  we would like a way to whitelist only `Ingress`es in the `ingress-provider` ns
    destination {
      server    = "https://kubernetes.default.svc"
      namespace = "ingress-provider"
    }

Since the namespace with the ingress is sensitive, it would be very useful to be able to say, "this application can only deploy Ingresses to this namespace, and everything else in the other one".