argo-cd: Cluster names cannot be used via RBAC

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Relevant slack thread for issue with @jannfis

Checklist:

  • I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I’ve included steps to reproduce the bug.
  • I’ve pasted the output of argocd version.

Describe the bug The RBAC policy for clusters still require you to use a URL, when names are now a convention.

To Reproduce

Create a policy like below

        p, testaccount, clusters, get, in-cluster, allow

Check to see if testaccount is able to see the cluster - it should not be able to. Change the policy to the url syntax:

        p, testaccount, clusters, get, https://kubernetes.default.svc, allow

validate that testaccount is now able to see the cluster

Expected behavior

The ability to interchangeably be able to use names and URLs for cluster reference in RBAC

Screenshots

Would just be redundant.

Version

argocd: v1.7.6+b04c25e
  BuildDate: 2020-09-19T00:50:44Z
  GitCommit: b04c25eca8f1660359e325acd4be5338719e59a0
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
argocd-server: v1.7.8+ef5010c
  BuildDate: 2020-10-15T22:34:12Z
  GitCommit: ef5010c3a0b5e027fd642732d03c5b0391b1e574
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: {Version:kustomize/v3.6.1 GitCommit:c97fa946d576eb6ed559f17f2ac43b3b5a8d5dbd BuildDate:2020-05-27T20:47:35Z GoOs:linux GoArch:amd64}
  Helm Version: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}
  Kubectl Version: v1.17.8

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 1
  • Comments: 18 (13 by maintainers)

Most upvoted comments

Just ran into this since I couldn’t use cluster names in declaratively defined AppProjects (though I can on Applications).

Almost the same here - I want to allow OIDC groups be able to see just the clusters they can use, but I don´t have the URL at this point (and using AWS load balanacers, the cluster name is not part of the URL, so regex can´t help). Referencing clusters by name in RBAC policies would really come in handy 😃 Any news on this?

Also an issue with AWS EKS as EKS provides you with a URL for k8s API.

From an intuition standpoint, I wasn’t expecting the URL to be what it evaluated against and was slightly confused at first, though trying based on the URL was my first instinct otherwise.

This URL is randomly generated, so it’s not really possible to know what it might be in advance nor is it really possible to regex/wildcard off something generated.

Simply wrapping a CNAME around that generated URL won’t work either as the CN won’t match thus certificate verification fails, though I’m wondering if that’s override-able somehow. I only noticed this might be possible looking at https://github.com/oboukili/terraform-provider-argocd/blob/master/docs/resources/cluster.md#nested-schema-for-configtls_client_config

If that doesn’t work than I’d have to run a proxy or something. And this is just my case, which is perhaps a bit of a subset of others who wish to evaluate by cluster name for whatever other reasons.

Edit: I was able to make this work; edited cluster secret to change URL to my CNAME, added serverName to the tlsClientConfig … Helps my situation a bit but doesn’t solve the original issue 😃

Can we have this check against name instead or something or some method of doing both?

Of course I understand that just switching to name would have backwards compatibility issues and doing an OR on either could be unexpected by users not aware of the change and could result in a potentially looser role than intended, but in a similar vein, I was able to add preferred_username under data.scopes in the policy configmap to enable me to auth against usernames when using SSO w/Dex+GitLab.

Perhaps an option added there to choose which for clusters might work? data.useClusterName: [boolean] ??