Someone posted (and quickly deleted) a comment suggesting that this can be done via RBAC on the Kubernetes cluster.

I think this is a viable workaround that I haven't thought of. I think it would looks something like this:

• Edit the argocd-server ClusterRole so that it does not have universal permissions to delete resources
• Edit the argocd-server ClusterRole so that is does have permissions to delete specific resources (such as Pods)
• Update AppProject permissions to allow the delete action.

Then, ArgoCD will allow the authorized users to delete resources, but those requests may be denied by the kube-apiserver.

It's not the cleanest option, and I would like to see better support in ArgoCD directly. However, for anyone else following or finding this issue, this may be a workable approach.

Hi @jutley, yes I posted the suggestion to configure your users with RBAC on the cluster side to allow delete pods or not but I said that because I'm using Argo integrated with Azure AD to login, so I was thinking I simply could configure the RBAC for all the users/groups (AKS and Azure AD).

But I still don't know if Argo is going to use my Azure AD account to perform requests to the kubeapi (I don't think so), that's was the reason I deleted the post before, only to think better about it.

For us, allowing developers to have delete permissions on an application brings up the risk of whole application deletion, when all we want to do is give permission to delete everything inside the application, except the application itself.