Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC policy for restart #2401

Closed
servo1x opened this issue Oct 2, 2019 · 15 comments
Closed

RBAC policy for restart #2401

servo1x opened this issue Oct 2, 2019 · 15 comments
Labels
enhancement New feature or request

Comments

@servo1x
Copy link

servo1x commented Oct 2, 2019

Is your feature request related to a problem? Please describe.
We would like developers the ability to restart their pods but currently, from my understanding this requires the delete action to be allowed. We don't want to give developers the ability to delete any resource but do want to allow restarts.

Describe the solution you'd like
There should be a RBAC action for restarts.

@servo1x servo1x added the enhancement New feature or request label Oct 2, 2019
@jannfis
Copy link
Member

jannfis commented Oct 6, 2019

Hi @servo1x, can you please elaborate a little more on your requirement? To my limited knowledge, there is no concept of "restarting" a pod, neither in K8s nor in ArgoCD.

As far as I understand, the way you can accomplish something similar is either by deleting a pod resource belonging to something like a controlling resource (such as ReplicaSet or Deployment) and have it restarted automatically, or by using something like scale --replicas to have K8s terminate and start your pods again.

Is your use-case for restarting a Pod using the delete resource action of ArgoCD (e.g. via the web UI) on a Pod object?

@alexmt
Copy link
Collaborator

alexmt commented Oct 7, 2019

Not 100% sure this resolves the problem. We just merged granular RBAC for resource actions: #2002 and custom action which is equivalent to kubectl rollout restart#2177 (available in v1.2)

In 1.3 it will be possible to give permission to execute Restart action which will trigger a rolling update of a deployment/daemonset/statefulset

@servo1x
Copy link
Author

servo1x commented Oct 8, 2019

@jannfis it's in reference to the feature: #2177

Thanks @alexmt, this is what we're looking for.

@alexmt
Copy link
Collaborator

alexmt commented Oct 9, 2019

I guess we can close it . @servo1x please feel free to reopen if necessary

@alexmt alexmt closed this as completed Oct 9, 2019
@u-quark
Copy link

u-quark commented Jun 29, 2020

It would be nice if we had an example of how this is accomplished and maybe some documentation.

@pavankumar-go
Copy link

For those who came looking for adding policy to just restart the deployments, it can be done this way

    p, role:developers, applications, action/apps/Deployment/restart, dev/*, allow

@mitch-mckenzie
Copy link

Small tweak to the above example to get this to work on argo 2.0.1 (apps -> extensions):
p, role:developers, applications, action/extensions/Deployment/restart, dev/*, allow

@bkrein-vertex
Copy link

It'd be really nice if the docs could have more detailed explanations of more complex configs like this. I was looking for this as well but the docs don't give any clue about the more complex action shown here.

@abhipsnl
Copy link

In my case, it was action/apps/Deployment/restart , how it differs from extensions ?

@EladDolev
Copy link

@FalconerTC
Copy link

FalconerTC commented Feb 21, 2023

Any other examples from people that have gotten this to work with recent ArgoCD versions? I'm trying with project RBAC (p, proj:some-project:project-admin, applications, action/extensions/Deployment/restart, *, allow) with action/extensions and action/apps but I can't seem to get it to work. And argocd admin settings rbac can doesn't support this

@arve0
Copy link

arve0 commented Jun 7, 2023

And argocd admin settings rbac can doesn't support this

Can confirm:

❯ argocd admin settings rbac can policy-name action/apps/Deployment/restart applications 'default/app' --namespace argocd
FATA[0000] error in RBAC request: 'action/apps/Deployment/restart' is not a valid action name

@crenshaw-dev
Copy link
Member

Here's an issue tracking the can CLI bug: #13911

afaik this is the closest we have to docs about actions RBAC: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#the-action-action

Would be happy to review any docs PR clarifying RBAC for actions!

@jeremych1000
Copy link

Ran into this today, and this worked for me.

- p, proj:{{ $name }}:admin, applications, action/*, {{ $name }}/*, allow

action on its own didn't though, must have the /*

@ethanbayliss
Copy link

This worked for me Argo CD v2.8.4

p, [email protected], applications, action/apps/Deployment/restart, *, allow
p, [email protected], applications, action/apps/Deployment/restart, default/apps, allow

Error I received was

time="2024-02-28T05:55:29Z" level=warning msg="user tried to action/apps/Deployment/restart application which they do not have access to: rpc error: code = PermissionDenied desc = permission denied: applications, action/apps/Deployment/restart, default/apps, sub: xxx, iat: 2024-02-28T05:48:29Z" application=apps namespace=argocd project=default security=2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests