argo-cd: Cluster names cannot be used via RBAC
If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.
Relevant slack thread for issue with @jannfis
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
- I’ve pasted the output of
argocd version
.
Describe the bug The RBAC policy for clusters still require you to use a URL, when names are now a convention.
To Reproduce
Create a policy like below
p, testaccount, clusters, get, in-cluster, allow
Check to see if testaccount
is able to see the cluster - it should not be able to. Change the policy to the url syntax:
p, testaccount, clusters, get, https://kubernetes.default.svc, allow
validate that testaccount
is now able to see the cluster
Expected behavior
The ability to interchangeably be able to use names and URLs for cluster reference in RBAC
Screenshots
Would just be redundant.
Version
argocd: v1.7.6+b04c25e
BuildDate: 2020-09-19T00:50:44Z
GitCommit: b04c25eca8f1660359e325acd4be5338719e59a0
GitTreeState: clean
GoVersion: go1.14.1
Compiler: gc
Platform: linux/amd64
argocd-server: v1.7.8+ef5010c
BuildDate: 2020-10-15T22:34:12Z
GitCommit: ef5010c3a0b5e027fd642732d03c5b0391b1e574
GitTreeState: clean
GoVersion: go1.14.1
Compiler: gc
Platform: linux/amd64
Ksonnet Version: v0.13.1
Kustomize Version: {Version:kustomize/v3.6.1 GitCommit:c97fa946d576eb6ed559f17f2ac43b3b5a8d5dbd BuildDate:2020-05-27T20:47:35Z GoOs:linux GoArch:amd64}
Helm Version: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}
Kubectl Version: v1.17.8
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 1
- Comments: 18 (13 by maintainers)
Also an issue with AWS EKS as EKS provides you with a URL for k8s API.
From an intuition standpoint, I wasn’t expecting the URL to be what it evaluated against and was slightly confused at first, though trying based on the URL was my first instinct otherwise.
This URL is randomly generated, so it’s not really possible to know what it might be in advance nor is it really possible to regex/wildcard off something generated.
Simply wrapping a CNAME around that generated URL won’t work either as the CN won’t match thus certificate verification fails, though I’m wondering if that’s override-able somehow. I only noticed this might be possible looking at https://github.com/oboukili/terraform-provider-argocd/blob/master/docs/resources/cluster.md#nested-schema-for-configtls_client_config
If that doesn’t work than I’d have to run a proxy or something. And this is just my case, which is perhaps a bit of a subset of others who wish to evaluate by cluster name for whatever other reasons.
Edit: I was able to make this work; edited cluster secret to change URL to my CNAME, added
serverName
to thetlsClientConfig
… Helps my situation a bit but doesn’t solve the original issue 😃Can we have this check against name instead or something or some method of doing both?
Of course I understand that just switching to name would have backwards compatibility issues and doing an OR on either could be unexpected by users not aware of the change and could result in a potentially looser role than intended, but in a similar vein, I was able to add
preferred_username
underdata.scopes
in the policy configmap to enable me to auth against usernames when using SSO w/Dex+GitLab.Perhaps an option added there to choose which for clusters might work?
data.useClusterName: [boolean]
??