feat: auto respect rbac for discovery/sync (#14381)

feat: auto respect rbac for discovery/sync (#14381) Signed-off-by: Soumya Ghosh Dastidar <[email protected]>
argoproj · Sep 6, 2023 · 4fadd9e · 4fadd9e
1 parent 0de579d
commit 4fadd9e
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 4 deletions.
diff --git a/controller/cache/cache.go b/controller/cache/cache.go
@@ -433,6 +433,11 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
  return nil, fmt.Errorf("error getting custom label: %w", err)
  }
 
+ respectRBAC, err := c.settingsMgr.RespectRBAC()
+ if err != nil {
+ return nil, fmt.Errorf("error getting value for %v: %w", settings.RespectRBAC, err)
+ }
+
  clusterCacheConfig := cluster.RESTConfig()
  // Controller dynamically fetches all resource types available on the cluster
  // using a discovery API that may contain deprecated APIs.
@@ -487,6 +492,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
  }),
  clustercache.SetLogr(logutils.NewLogrusLogger(log.WithField("server", cluster.Server))),
  clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
+ clustercache.SetRespectRBAC(respectRBAC),
  }
 
  clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)

diff --git a/docs/operator-manual/argocd-cm.yaml b/docs/operator-manual/argocd-cm.yaml
@@ -231,6 +231,10 @@ data:
  # 'none' - disabled
  ignoreResourceStatusField: crd
 
+ # configuration to instruct controller to only watch for resources that it has permissions to list
+ # can be either empty, "normal" or "strict". By default, it is empty i.e. disabled.
+ resource.respectRBAC: "normal"
+
  # Configuration to add a config management plugin.
  configManagementPlugins: |
  - name: kasane

diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md
@@ -953,6 +953,33 @@ Notes:
 * Invalid globs result in the whole rule being ignored.
 * If you add a rule that matches existing resources, these will appear in the interface as `OutOfSync`.
 
+## Auto respect RBAC for controller
+
+Argocd controller can be restricted from discovering/syncing specific resources using just controller rbac, without having to manually configure resource exclusions.
+This feature can be enabled by setting `resource.respectRBAC` key in argocd cm, once it is set the controller will automatically stop watching for resources 
+that it does not have the permission to list/access. Possible values for `resource.respectRBAC` are:
+ - `strict` : This setting checks whether the list call made by controller is forbidden/unauthorized and if it is, it will cross-check the permission by making a `SelfSubjectAccessReview` call for the resource.
+ - `normal` : This will only check whether the list call response is forbidden/unauthorized and skip `SelfSubjectAccessReview` call, to minimize any extra api-server calls.
+ - unset/empty (default) : This will disable the feature and controller will continue to monitor all resources.
+
+Users who are comfortable with an increase in kube api-server calls can opt for `strict` option while users who are concerned with higher api calls and are willing to compromise on the accuracy can opt for the `normal` option.
+
+Notes:
+
+* When set to use `strict` mode controller must have rbac permission to `create` a `SelfSubjectAccessReview` resource 
+* The `SelfSubjectAccessReview` request will be only made for the `list` verb, it is assumed that if `list` is allowed for a resource then all other permissions are also available to the controller.
+
+Example argocd cm with `resource.respectRBAC` set to `strict`:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: argocd-cm
+data:
+ resource.respectRBAC: "strict"
+```
+
 ## Resource Custom Labels
 
 Custom Labels configured with `resource.customLabels` (comma separated string) will be displayed in the UI (for any resource that defines them).

diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
  github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
  github.com/alicebob/miniredis/v2 v2.30.4
  github.com/antonmedv/expr v1.12.7
- github.com/argoproj/gitops-engine v0.7.1-0.20230809134534-ed7c77a9290b
+ github.com/argoproj/gitops-engine v0.7.1-0.20230906152414-b0fffe419a0f
  github.com/argoproj/notifications-engine v0.4.1-0.20230905144632-9dcecdc3eebf
  github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
  github.com/aws/aws-sdk-go v1.44.317

diff --git a/go.sum b/go.sum
@@ -710,8 +710,8 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20230809134534-ed7c77a9290b h1:0Nttg/giUaT52BticAPRmbEMZWBDxisy+hltb1TglVM=
-github.com/argoproj/gitops-engine v0.7.1-0.20230809134534-ed7c77a9290b/go.mod h1:WpA/B7tgwfz+sdNE3LqrTrb7ArEY1FOPI2pAGI0hfPc=
+github.com/argoproj/gitops-engine v0.7.1-0.20230906152414-b0fffe419a0f h1:cb2j6HxYJutMBvvQc/Y3EOSL7pcr5pcnP/4MNmYi4xc=
+github.com/argoproj/gitops-engine v0.7.1-0.20230906152414-b0fffe419a0f/go.mod h1:/GMN0JuoJUUpnKlNLp2Wn/mfK8sglFsdPn+eoxSddmg=
 github.com/argoproj/notifications-engine v0.4.1-0.20230905144632-9dcecdc3eebf h1:4wliaBwd6iKvT/5huDTJntaYtTSdwPLs00SOQwDSK6A=
 github.com/argoproj/notifications-engine v0.4.1-0.20230905144632-9dcecdc3eebf/go.mod h1:TuK0BNKo34DIUOyCCGOB9ij+smGCxeCgt9ZB+0fMWno=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=

diff --git a/util/settings/settings.go b/util/settings/settings.go
@@ -17,7 +17,6 @@ import (
  "sync"
  "time"
 
- timeutil "github.com/argoproj/pkg/time"
  log "github.com/sirupsen/logrus"
  apiv1 "k8s.io/api/core/v1"
  apierr "k8s.io/apimachinery/pkg/api/errors"
@@ -39,6 +38,8 @@ import (
  "github.com/argoproj/argo-cd/v2/util/kube"
  "github.com/argoproj/argo-cd/v2/util/password"
  tlsutil "github.com/argoproj/argo-cd/v2/util/tls"
+ enginecache "github.com/argoproj/gitops-engine/pkg/cache"
+ timeutil "github.com/argoproj/pkg/time"
 )
 
 // ArgoCDSettings holds in-memory runtime configuration options.
@@ -490,6 +491,10 @@ const (
  // ResourceDeepLinks is the resource deep link key
  ResourceDeepLinks = "resource.links"
  extensionConfig = "extension.config"
+ // RespectRBAC is the key to configure argocd to respect rbac while watching for resources
+ RespectRBAC = "resource.respectRBAC"
+ RespectRBACValueStrict = "strict"
+ RespectRBACValueNormal = "normal"
 )
 
 var (
@@ -553,6 +558,24 @@ func (mgr *SettingsManager) onRepoOrClusterChanged() {
  }
 }
 
+func (mgr *SettingsManager) RespectRBAC() (int, error) {
+ cm, err := mgr.getConfigMap()
+ if err != nil {
+ return enginecache.RespectRbacDisabled, err
+ }
+ if cm.Data[RespectRBAC] != "" {
+ switch cm.Data[RespectRBAC] {
+ case RespectRBACValueNormal:
+ return enginecache.RespectRbacNormal, nil
+ case RespectRBACValueStrict:
+ return enginecache.RespectRbacStrict, nil
+ default:
+ return enginecache.RespectRbacDisabled, fmt.Errorf("invalid value for %s: %s", RespectRBAC, cm.Data[RespectRBAC])
+ }
+ }
+ return enginecache.RespectRbacDisabled, nil
+}
+
 func (mgr *SettingsManager) GetSecretsLister() (v1listers.SecretLister, error) {
  err := mgr.ensureSynced(false)
  if err != nil {