search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.73k stars 5.4k forks source link

support rbac based on Application labels #8285

Open cskinfill opened 2 years ago

cskinfill commented 2 years ago

Summary

Support scoping RBAC controls based on labels defined in argocd Application resource.

Motivation

Adding labels to Applications allows for attaching additional metadata about the Application, and in this case allowing someone to specify that a label (for instance service_owner) should be used for RBAC decisions allows this label to be used to centralized the concept of ownership.

Proposal

Provide some way to configure ArgoCD RBAC to not only use the current CSV file to map a role to an application name along with the permissions, but also allow for something like

p, role:frontend-dev, applications, sync, label.service_owner=frontend, allow

and then anyone with the role frontend-dev will be allowed sync any Application with the label service_owner=frontend.

jannfis commented 2 years ago

I like this idea, but I think it needs some more agreement on the actual syntax (and semantics) of resources it targets.

chetan-rns commented 2 years ago

@jannfis I'm interested in investigating more about this. I will take a closer look at the rbac implementation

IND07F7W commented 2 years ago

Any update if it is being actively pursued.

pandu-malik commented 2 years ago

is there any implementation or related workaround to achieve this ?

AJBLATZ commented 1 year ago

Hoping for this implementation as well. This would save a considerable amount of time and make our RBAC CM more manageable.

m00nyONE commented 12 months ago

That would be a blessing

Thomas-Ripoll commented 10 months ago

+1 It would be very handy

1doce8 commented 9 months ago

+1

CyberHippo commented 8 months ago

I would love to see this implemented!