diff --git a/solutions/cncf-generated/argo/argo-3593-rbac-should-include-separate-permissions-for-deleting-k8s-resources.json b/solutions/cncf-generated/argo/argo-3593-rbac-should-include-separate-permissions-for-deleting-k8s-resources.json new file mode 100644 index 00000000..a4951ffd --- /dev/null +++ b/solutions/cncf-generated/argo/argo-3593-rbac-should-include-separate-permissions-for-deleting-k8s-resources.json @@ -0,0 +1,81 @@ +{ + "version": "kc-mission-v1", + "name": "argo-3593-rbac-should-include-separate-permissions-for-deleting-k8s-resources", + "missionClass": "solution", + "author": "KubeStellar Bot", + "authorGithub": "kubestellar", + "mission": { + "title": "argo: RBAC should include separate permissions for deleting k8s resources", + "description": "RBAC should include separate permissions for deleting k8s resources. This issue affects 92+ users.", + "type": "troubleshoot", + "status": "completed", + "steps": [ + { + "title": "Identify argo troubleshoot symptoms", + "description": "Check for the issue in your argo deployment:\n```bash\nkubectl get pods -n argo -l app.kubernetes.io/name=argo\nkubectl logs -l app.kubernetes.io/name=argo -n argo --tail=100 | grep -i error\n```\nLook for errors or warnings in the logs that may indicate the issue." + }, + { + "title": "Review argo configuration", + "description": "Inspect the relevant argo configuration:\n```bash\nkubectl get all -n argo -l app.kubernetes.io/name=argo\nkubectl get configmap -n argo -l app.kubernetes.io/part-of=argo\n```\nI'd like to be able to give delete permissions that are more granular than the application level. Ideally, I'd like to be able to enable them for specific resource types, such as Pods, or any other resource that is owned by a resource ArgoCD created." + }, + { + "title": "Apply the fix for RBAC should include separate permissions for deleting k8s", + "description": "Task to do\n```yaml\np, role:staging-db-admins, applications, delete, staging-db-admins/*/apps/Deployment, allow\np, role:staging-db-admins, applications, delete, staging-db-admins/*/Pods, allow\n```" + }, + { + "title": "Confirm RBAC should include separate permissions for is resolved", + "description": "Verify the fix by checking that the original error no longer occurs:\n```bash\nkubectl logs -l app.kubernetes.io/name=argo -n argo --tail=50 --since=5m\nkubectl get events -n argo --sort-by='.lastTimestamp' | tail -10\n```\nConfirm that the issue symptoms are gone." + } + ], + "resolution": { + "summary": "See the linked issue and PR for the community-verified solution.", + "codeSnippets": [ + "p, role:staging-db-admins, applications, delete, staging-db-admins/*/apps/Deployment, allow\np, role:staging-db-admins, applications, delete, staging-db-admins/*/Pods, allow", + "i, , , ", + "p, role:developer, applications, delete, */*, deny\np, role:developer, applications, delete, /, defer\ni, role:developer, group, pod-deleters\ni, role:developer, group, config-deleters\ni, role:developer, group, deployment-deleters\n..." + ] + } + }, + "metadata": { + "tags": [ + "argo", + "graduated", + "app-definition", + "troubleshoot" + ], + "cncfProjects": [ + "argo" + ], + "targetResourceKinds": [ + "Pod", + "Deployment", + "Role" + ], + "difficulty": "intermediate", + "issueTypes": [ + "troubleshoot" + ], + "maturity": "graduated", + "sourceUrls": { + "issue": "https://github.com/argoproj/argo-cd/issues/3593", + "repo": "https://github.com/argoproj/argo-cd", + "pr": "https://github.com/argoproj/argo-cd/pull/18124" + }, + "reactions": 92, + "comments": 19, + "synthesizedBy": "copilot" + }, + "prerequisites": { + "kubernetes": ">=1.24", + "tools": [ + "kubectl" + ], + "description": "A running Kubernetes cluster with argo installed or the issue environment reproducible." + }, + "security": { + "scannedAt": "2026-03-11T06:17:36.212Z", + "scannerVersion": "cncf-gen-3.0.0", + "sanitized": true, + "findings": [] + } +}