From e23178a8d1b618c2ad4c8515a0fe44a359cd06ed Mon Sep 17 00:00:00 2001 From: Sahdev Zala Date: Tue, 26 Jul 2022 09:15:02 -0400 Subject: [PATCH] docs: add api field example in the appset security doc (#10087) It seems like most of the work for the mentioned issue below is done under the PR #9466 but from the issue description, it's probably worth to mention the example as added here. Related #9352 Signed-off-by: Sahdev Zala --- docs/operator-manual/applicationset/Security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/operator-manual/applicationset/Security.md b/docs/operator-manual/applicationset/Security.md index 6c3d656cbd427..5df7a797de300 100644 --- a/docs/operator-manual/applicationset/Security.md +++ b/docs/operator-manual/applicationset/Security.md @@ -11,8 +11,8 @@ resources of Argo CD itself (like the RBAC ConfigMap). ApplicationSets can also quickly create an arbitrary number of Applications and just as quickly delete them. Finally, ApplicationSets can reveal privileged information. For example, the [git generator](./Generators-Git.md) can -read Secrets in the Argo CD namespace and send them to arbitrary URLs as auth headers. (This functionality is intended -for authorizing requests to SCM providers like GitHub, but it could be abused by a malicious user.) +read Secrets in the Argo CD namespace and send them to arbitrary URLs (e.g. URL provided for the `api` field) as auth headers. +(This functionality is intended for authorizing requests to SCM providers like GitHub, but it could be abused by a malicious user.) For these reasons, **only admins** may be given permission (via Kubernetes RBAC or any other mechanism) to create, update, or delete ApplicationSets.