Skip to content

Destination permitted check does not check both server and namespace #19804

New issue
New issue
Closed
#20045
Closed
Destination permitted check does not check both server and namespace#19804
#20045
Assignees
blakepettersson
Labels
bugSomething isn't workingcomponent:rbacIssues related to Openshift and Rachercomponent:security
@mmb

Description

@mmb
mmb
opened on Sep 6, 2024

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

Project destinations:

destinations:
  - namespace: test
     server: *
  - namespace: other
    server: !https://test-server

An app in this project trying to deploy to https://test-server in namespace test will be denied.

The logic in https://github.com/argoproj/argo-cd/blob/master/pkg/apis/application/v1alpha1/app_project_types.go#L474 denies if the server is in any deny destination regardless of the namespace.

To Reproduce

This is reproducible by adding a unit test to types_test.go.

Expected behavior

I would expect the denial to take the namespace into consideration. For me the "any allow permits and no deny rejects" semantics are hard to reason about. It seems like this check should be a simple "if any rule matches", although this would be a breaking change with security implications.

Screenshots

Version

v2.11.3+3f344d5

Logs

Paste any relevant application logs here.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcomponent:rbacIssues related to Openshift and Rachercomponent:security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions