Skip to content

🌱 argo: RBAC should include separate permissions for deleting k8s resources #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
clubanderson wants to merge 1 commit into from
Closed

🌱 argo: RBAC should include separate permissions for deleting k8s resources #478

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions ...d/argo/argo-3593-rbac-should-include-separate-permissions-for-deleting-k8s-resources.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"version": "kc-mission-v1",
"name": "argo-3593-rbac-should-include-separate-permissions-for-deleting-k8s-resources",
"missionClass": "solution",
"author": "KubeStellar Bot",
"authorGithub": "kubestellar",
"mission": {
"title": "argo: RBAC should include separate permissions for deleting k8s resources",
"description": "RBAC should include separate permissions for deleting k8s resources. This issue affects 92+ users.",
"type": "troubleshoot",
"status": "completed",
"steps": [
{
"title": "Identify argo troubleshoot symptoms",
"description": "Check for the issue in your argo deployment:\n```bash\nkubectl get pods -n argo -l app=argo\nkubectl logs -l app.kubernetes.io/name=argo -n argo --tail=100 | grep -i error\n```\nLook for errors related to: RBAC should include separate permissions for deleting k8s resources"
},
{
"title": "Check current Pod configuration",
"description": "Inspect the relevant argo resources:\n```bash\nkubectl get pod -A\nkubectl describe pod <name> -n argo\n```\nI'd like to be able to give delete permissions that are more granular than the application level. Ideally, I'd like to be able to enable them for specific resource types, such as Pods, or any other"
},
{
"title": "Apply the fix for RBAC should include separate permissions for deleting k8s",
"description": "Task to do\n\nhttps://github.com/argoproj/argo-cd/assets/47184027/7ea0b523-7357-4deb-8775-a6b6d8ba5d76\n\nChecklist:\n\n* [x] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this\n```yaml\np, role:staging-db-admins, applications, delete, staging-db-admins/*/apps/Deployment, allow\r\np, role:staging-db-admins, applications, delete, staging-db-admins/*/Pods, allow\n```"
},
{
"title": "Confirm RBAC should include separate permissions for is resolved",
"description": "Verify the fix by checking that the original error no longer occurs:\n```bash\nkubectl logs -l app.kubernetes.io/name=argo -n argo --tail=50 --since=5m\nkubectl get events -n argo --sort-by='.lastTimestamp' | tail -10\n```\nConfirm that the issue symptoms are gone."
}
],
"resolution": {
"summary": "The root cause is: Task to do\n\nhttps://github.com/argoproj/argo-cd/assets/47184027/7ea0b523-7357-4deb-8775-a6b6d8ba5d76\n\nChecklist:\n\n* [x] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.\n* [x] The title of the PR states what changed and the.",
"codeSnippets": [
"p, role:staging-db-admins, applications, delete, staging-db-admins/*/apps/Deployment, allow\r\np, role:staging-db-admins, applications, delete, staging-db-admins/*/Pods, allow",
"i, <user/group/role>, <type>, <k8s name>",
"p, role:developer, applications, delete, */*, deny\r\np, role:developer, applications, delete, <appproject>/<app>, defer\r\ni, role:developer, group, pod-deleters\r\ni, role:developer, group, config-deleters\r\ni, role:developer, group, deployment-deleters\r\n..."
]
}
},
"metadata": {
"tags": [
"argo",
"graduated",
"app-definition",
"troubleshoot"
],
"cncfProjects": [
"argo"
],
"targetResourceKinds": [
"Pod",
"Deployment"
],
"difficulty": "intermediate",
"issueTypes": [
"troubleshoot"
],
"maturity": "graduated",
"sourceUrls": {
"issue": "https://github.com/argoproj/argo-cd/issues/3593",
"repo": "https://github.com/argoproj/argo-cd",
"pr": "https://github.com/argoproj/argo-cd/pull/18124"
},
"reactions": 92,
"comments": 19,
"synthesizedBy": "copilot"
},
"prerequisites": {
"kubernetes": ">=1.24",
"tools": [
"kubectl"
],
"description": "A running Kubernetes cluster with argo installed or the issue environment reproducible."
},
"security": {
"scannedAt": "2026-03-10T21:33:37.272Z",
"scannerVersion": "cncf-gen-3.0.0",
"sanitized": true,
"findings": []
}
}
Loading