Argo-cd: ArgoCD Namespace Isolation

Created on 20 Aug 2019  路  11Comments  路  Source: argoproj/argo-cd

Describe the bug
I would like to let my cluster Tenants deploy an argocd instance into their namespace without allow cluster scope access (only namespace access).

To Reproduce

  1. Deployed argocd to a namespace but without any of the clusterroles or clusterrolebindings, only the Roles and RoleBindings
  2. Navigated to the ArgoCD UI running in the namespace.
  3. Configured a simple helm chart application (1 deployment and 1 service) to be deployed into the namespace.
  4. Synced the simple helm chart app the following errors (Error changes everytime I Refresh)

All the errors complain about the argocd-application-controller serviceaccount in my namespace not be able to list a cluster scope resource : namespaces, rolebindings (which makes no sense since rolebindings are not cluster scope)

enhancement
Source
picture RudyBone
👍10

Most helpful comment

I've seen same request several times already. I believe we need to support two use case:

  • argocd is installed into namespace which it manages
  • cluster is connected to argocd with access to a single namespace

In both cases Argo CD should monitor resources only in single namespace and raise error if user it trying to sync cluster level resource/resources into different namespace

picture alexmt on 22 Aug 2019
👍52

All 11 comments

I've seen same request several times already. I believe we need to support two use case:

  • argocd is installed into namespace which it manages
  • cluster is connected to argocd with access to a single namespace

In both cases Argo CD should monitor resources only in single namespace and raise error if user it trying to sync cluster level resource/resources into different namespace

alexmt picture alexmt on 22 Aug 2019
👍52

v1.3 supports showing orphan resources in the UI. You may wish to look at this.

alexec picture alexec on 27 Nov 2019

Awesome!! When are we planning to release this?

jaydipdave picture jaydipdave on 18 Dec 2019

This is part of 1.4 release. The v1.4 is pretty much v1.3 bug fixing release so it should be ready soon. Hopefully by end of next week

alexmt picture alexmt on 20 Dec 2019

It seems that the v1.4 install still gives itself full access to the cluster it is installed in by default. Is it documented somewhere what the minimal set of rights is that ArgoCD needs to manage select namespaces in the same cluster as which it is running?
I tried changing clusterroles to roles on 1.3 but ran into the same problems as @RudyBone originally stated.

lanmarti picture lanmarti on 22 Jan 2020

It seems that the v1.4 install still gives itself full access to the cluster it is installed in by default. Is it documented somewhere what the minimal set of rights is that ArgoCD needs to manage select namespaces in the same cluster as which it is running?
I tried changing clusterroles to roles on 1.3 but ran into the same problems as @RudyBone originally stated.

Hey Ian - Usage is documented in the v1.4.0 release - https://github.com/argoproj/argo-cd/releases/tag/v1.4.0.

However, in line with what you said - would be good to have a minimum set of rights needed to deploy to a namespace

artbegolli picture artbegolli on 11 Feb 2020

Anyone have any luck getting this working? @lanmarti maybe? I'm trying to use it but hitting issues - https://github.com/argoproj/argo-cd/issues/3191

ryandawsonuk picture ryandawsonuk on 4 Mar 2020

Sorry @ryandawsonuk, I won't be much help. I'm currently running argo with full cluster rights, I haven't been able to look into this since my original message.

lanmarti picture lanmarti on 5 Mar 2020

Can we get details as to the settings this modifies?
argocd cluster add <mycluster> --namespace <mynamespace1> --namespace <mynamespace2>

I'm running into cli issue, and as others would like to restrict the scope for ArgoCD.
During app deployments I run into the same error as OG, but trying to read Cluster Roles, when it should be scoped (cluster roles do not exist in namespace-install.yaml)

FrenchBen picture FrenchBen on 28 Jul 2020

Are you using the steps from the 1.4.0 release notes? I got it working using those steps after some tinkering, though I found that some read roles do seem to need to be ClusterRoles - https://github.com/argoproj/argo-cd/issues/3191

ryandawsonuk picture ryandawsonuk on 28 Jul 2020
👍1

@ryandawsonuk I ended up doing something similar, and had hoped that the CLI resources would be a bit more clear, to make the process easier.

FrenchBen picture FrenchBen on 26 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eroji picture eroji  路  24Comments
toolbar23 picture toolbar23  路  22Comments
evrardjp picture evrardjp  路  26Comments
tschonnie picture tschonnie  路  31Comments
jessesuen picture jessesuen  路  24Comments