Add rbac on plugins #21177
Comments
andrii-korotkov-verkada
added
the
component:rbac
|
What's the exact semantic? Is it using plugins at all for everything, or would it be restricted to specific applications? Would it be even possible to define a generic system for all kinds of plugins? |
andrii-korotkov-verkada
added
the
more-information-needed
@slim-azaiz Can you add the motivation to this issue? What are the current problems your are facing that you want to resolve? How is this plugin used? This seems like a reasonable request, but I don't understand the necessity. |
|
With the actual version of argo vault plugin we can not ensure multi tenancy if we have one shared argocd instance because there is no rbac on plugins and we can not guarantee that teamA can not use teamB plugin as plugins are global for the actual version not scoped by namespace |
agaudreault
added
component:multi-tenancy
|
Actually, this should not be related to RBAC then, because it is the application itself that is using the plugin, not the users. The access control mechanisms for an Application are defined in the AppProject. So this would be an additional configuration in the AppProject that can explicitly allow or deny tools to be used as source. Since we are trying to move away from rendering secret in plugins, I don't think the "argo vault plugin" use case would be enough to implement that feature. And perhaps the tenancy mechanisms should be implemented within the plugin. But there might be other use cases to have rendering tools restricted to some applications, so I think we can leave this issue open for some time to collect potential use cases. |
|
I think the addition of the |
Summary
Add rbac on plugins would resolve argocd multitenancy if we are using argo vault plugin
Proposal
How do you think this should be implemented?
This policy specifies that the devteam-b project administrators (proj:devteam-b:admin) are allowed to use the plugin-b plugin within the scope of resources under devteam-b/*. This way, only users or services within the devteam-b project can access and use the plugin for their resources, ensuring proper multitenancy.
The text was updated successfully, but these errors were encountered: