Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to delete pod from ArgoCD UI using the action #12777

Closed
3 tasks done
azizzoaib786 opened this issue Mar 9, 2023 · 11 comments · Fixed by #18124
Closed
3 tasks done

Unable to delete pod from ArgoCD UI using the action #12777

azizzoaib786 opened this issue Mar 9, 2023 · 11 comments · Fixed by #18124
Labels
bug Something isn't working

Comments

@azizzoaib786
Copy link

azizzoaib786 commented Mar 9, 2023
edited
Loading

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

When using the RBAC configuration to allow some permissions to default role:readonly.
Delete the Pods permissions are not working as expected.
Following rule is used as per the documentation shared here

Rule:
p, role:readonly, applications, action/core/Pod/delete, prod/*, allow

The issue is Pod object in kubernetes has empty which I believe is not parsed correctly and ArgoCD always returns permission denied error when someone assuming this role tries to perform delete action on Pods, however it works for Deployment/DaemonSet & even Rollout objects.

p, role:readonly, applications, action/apps/Deployment/delete, prod/*, allow
p, role:readonly, applications, action/apps/argoproj.io/delete, prod/*, allow

To Reproduce

Assign above rule and try to delete the Pod from ArgoCD UI.

Expected behavior

Should be able to delete the Pod from ArgoCD UI.

Screenshots

image (1)

Version

argocd: v2.6.4+7be094f.dirty
  BuildDate: 2023-03-07T23:52:53Z
  GitCommit: 7be094f38d06859b594b98eb75c7c70d39b80b1e
  GitTreeState: dirty
  GoVersion: go1.20.2
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.3.4+ac8b7df

Logs

When trying to delete pod using above RBAC. Some of the sensitive information is masked.

time="2023-03-09T08:05:31Z" level=info msg="received unary call /application.ApplicationService/DeleteResource" grpc.method=DeleteResource grpc.request.claims="{\"at_hash\":\"zAWE8ZmAq_JZNwlfdt8peA\",\"aud\":\"argo-cd\",\"c_hash\":\"79qppdZ92TNOOX9OlPxJOA\",\"email\":\"mafzal@talabat.com\",\"email_verified\":true,\"exp\":1678435498,\"groups\":[\"xxxxxx\",\"xxxxxxx\",\"xxxxxx\",\"xxxxxxx\",\"xxxxx\",\"xxxxxx\",\"xxxxx\",\"xxxxxxxx\"],\"iat\":1678349098,\"iss\":\"https://argo.xxxxx.com/api/dex\",\"name\":\"XXX XXX\",\"preferred_username\":\"xxxxx\",\"sub\":\"Cgg0ODc1NzQ3NxIGZ2l0aHVi\"}" grpc.request.content="name:\"xxxxxx\" namespace:\"xxxxx\" resourceName:\"paymentops-5df6496f69-c2js5\" version:\"v1\" group:\"\" kind:\"Pod\" force:false orphan:false " grpc.service=application.ApplicationService grpc.start_time="2023-03-09T08:05:31Z" span.kind=server system=grpc
@azizzoaib786 azizzoaib786 added the bug Something isn't working label Mar 9, 2023
@crenshaw-dev
Copy link
Member

The actions/* RBAC resource is for custom actions. Delete is a first-class feature of Argo CD, not an action. It requires applications, delete access.

Resource-level delete RBAC is a highly-requested feature: #3593

The current plan is to enable this through either impersonation support or improved actions support.

For now, the only way to enable something like pod restart is to enable the action/apps/Deployment/restart action.

@azizzoaib786
Copy link
Author

Any idea when new features are scheduled to release?

@SergeyLadutko
Copy link
Contributor

How soon can this kind of functionality be included in the release ?

@crenshaw-dev
Copy link
Member

Well, I hope to merge an open PR for 2.8 which will allow creating a resource via a custom action. Once that's merged, it will be trivial to enable deleting resources via actions.

Honestly I feel like adding a new resources RBAC noun is the better solution. But actions are a fine hack for now.

@bygui86
Copy link

bygui86 commented Jun 20, 2023

@crenshaw-dev which is this PR you are referring to?

@SergeyLadutko
Copy link
Contributor

Version 2.8 is very cool!!! Now you can do it?

@crenshaw-dev
Copy link
Member

@bygui86 this is the PR: #12925

@SergeyLadutko the above PR enabled actions to update resources. The next step would be a PR that enables actions to delete resources.

@bygui86
Copy link

bygui86 commented Aug 16, 2023

@bygui86 this is the PR: #12925

@SergeyLadutko the above PR enabled actions to update resources. The next step would be a PR that enables actions to delete resources.

@crenshaw-dev does the update include also the create?
So at the end of this PR series, do actions allow complete manage of K8s resources?

@crenshaw-dev
Copy link
Member

Oh, apologies, I meant to say "create". Actions could always update resources. :-)

do actions allow complete manage of K8s resources

They currently allow managing resources that the application would be allowed to manage anyway. So, AppProject rules are of course enforced.

@SergeyLadutko
Copy link
Contributor

Hey guys, can you tell me if there's some kind of update?

@caleb-nintex
Copy link

💯 It would be very useful to have this delete functionality via ArgoCD

@agaudreault agaudreault mentioned this issue Apr 26, 2024
Closed
@agaudreault agaudreault mentioned this issue May 10, 2024
Merged
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(rbac): fine-grained update/delete for application resources agaudreault/argo-cd
5 participants
@crenshaw-dev @bygui86 @azizzoaib786 @SergeyLadutko @caleb-nintex