Open azzouma opened 2 years ago
alexmt
commented
2 years ago Hello @azzouma ,
I think this is already possible. Rollout controller can be installed in a "namespaced mode": https://github.com/argoproj/argo-rollouts/releases/download/v1.1.1/namespace-install.yaml . In the namespace mode controller is "watching" only one namespace and does not need ClusterRoleBinding. So you would have to install controller into each namespace one by one
azzouma
commented
2 years ago Hi @alexmt , Yes, in the namespaced mode, it is possible to install a controller in each and every ns but this is not convenient, especially when we have too many namespaces, and possibly namespaces created on the fly for specific use cases and teared down afterward. It would be nice to have a similar feature as what is available in ArgoCD (one instance of the controller that can manage deployments in a specific set of namespaces)
AmrAlaaYassen
commented
2 years ago Hello @azzouma did you find a solution for that?
sbeaulie
commented
2 years ago I had the same question when doing a security review of Rollouts.
Would removing the ClusterRoleBinding from the install yaml, and instead craft one RoleBinding for each ns work in this case? I think it should unless there are cluster resources (nodes, non-resource endpoints) that Argo rollouts needs access to via ClusterRoleBinding?
github-actions[bot]
commented
1 year ago This issue is stale because it has been open 60 days with no activity.
meeech
commented
1 year ago @sbeaulie From what I've seen there are 2 cluster resources used by AR. Leases and Events.
Tested this idea out (multiple role bindings - one per NS) but the code itself branches based on if you are in namespaced mode or cluster. So the various api calls its making eg:
c.dynamicInformerFactory.Start(ctx.Done())
if !c.namespaced {
c.clusterDynamicInformerFactory.Start(ctx.Done())
}won't work unless you using cluster role, even if you try to restrict using creative role binding.
github-actions[bot]
commented
1 year ago This issue is stale because it has been open 60 days with no activity.
Desolar1um
commented
1 year ago I've run into this issue as well, as in our usecase certain teams need to deploy to multiple namespaces. Having a separate instance with all the same settings for each namespace is inconvenient.
UBessle
commented
1 year ago For ArgoCD we have projects, where we can define, which namespaces ArgoCD is allowed to handle. Does Argo-rollout take into account these ArgoCD project rules? This would solve this issue.
Summary
Currently, Argo rollouts can be deployed with two scopes, namespaced or cluster. In the first, argo rollouts can manage deployments in its ns only. For the second, a clusterRole and clusterRoleBinding are necessary to manage deployments at the cluster level. There is no option to onboard namespaces one by one without using ClusterRoleBinding (similar to what ArgoCD offers). It will be useful to allow for one deployment for argo rollouts with a clusterRole and one roleBinding for each namespace to onboard.
Use Cases
Let argo rollouts manage multiple namespaces in the cluster without ClusterRoleBinding for some security/compliance limitations.
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.