feat: additional RBAC configmaps

[notfromstatefarm]

Signed-off-by: notfromstatefarm 86763948+notfromstatefarm@users.noreply.github.com

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

Closes #8324

This PR implements 'additional configmaps' for RBAC. Any configmaps with the label argocd.argoproj.io/cm-type=additional-rbac will be used and watched for changes. The policy.csv key is merged from all of them. This allows users to easily deploy new RBAC rules by simply deploying additional ConfigMaps.

This PR also introduces a new concept suggested by @crenshaw-dev: a standardized security field on logs where the value indicates severity/level of paranoia.

I've tested this locally and it works like a charm!

[codecov]

Codecov Report

Attention: 42 lines in your changes are missing coverage. Please review.

Comparison is base (179d1e0) 45.84% compared to head (8ede094) 45.84%.
Report is 1891 commits behind head on master.

Files	Patch %	Lines
util/rbac/rbac.go	32.75%	39 Missing ⚠️
util/oidc/oidc.go	80.00%	1 Missing and 1 partial ⚠️
cmd/argocd/commands/admin/settings_rbac.go	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9976      +/-   ##
==========================================
- Coverage   45.84%   45.84%   -0.01%     
==========================================
  Files         227      227              
  Lines       27095    27381     +286     
==========================================
+ Hits        12422    12553     +131     
- Misses      12974    13125     +151     
- Partials     1699     1703       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[crenshaw-dev]

What happens if I remove the label? Will the policy be dropped from the combined policy?

[bilalcaliskan]

since we are using v1.NewFilteredConfigMapInformer with our specified labelselector, it will drop the policy from combined policy:

time="2022-11-21T23:04:23Z" level=info msg="RBAC Additional ConfigMap 'argocd-rbac-cm-extra' deleted" security=2

[jessesuen]

I thought the order of resolution of casbin rules was significant. How is this merging this in a predictable order?

[jannfis]

Hm, according to our Casbin model, we don't use any priority model. I think our model uses simple allow/deny patterns, with deny overriding any allow statement. But we should verify that.

[jannfis]

This change should also be reflected in the argocd admin settings rbac can command, which can operate from the live configuration to check certain RBAC constraints.

Probably

argo-cd/cmd/argocd/commands/admin/settings_rbac.go

Line 248 in 33fa916

cm, err := getPolicyConfigMap(ctx, kubeClient, namespace)

should return a concatenated version of all ConfigMaps

[jannfis]

Should additional-rbac become a constant?

And also, I'm in favor for dropping additional and just having it named rbac

[v1ctorrhs]

@notfromstatefarm when is this expected to be merged? Thanks

[v1ctorrhs]

@notfromstatefarm sorry to ping again, what's needed here?

[crenshaw-dev]

@v1ctorrhs Jann's comments need to be addressed before this can be merged. I think @notfromstatefarm has been too busy to work on this PR. Do you think you'd be able to pick it up and finish off the last few items?

[m0un10]

This PR is just what we are looking for! 😍😍😍😍
If released, we'd be able to remove 100s of lines from our kustomize overlays.
This is because we'd be able to have a base argocd-rbac-cm and then smaller ones for each overlay.
Is it being blocked because it needs a constant and a name change? If so, let me know and I can raise a PR against this PR with the fix.

[crenshaw-dev]

@notfromstatefarm want to close this for now until you (or someone else) has time to pick it back up?

[bilalcaliskan]

greetings everyone, i am willing to pick the PR from the current state and try to complete requirements if that's ok for @notfromstatefarm. i will start working on your fork btw.

[crenshaw-dev]

@bilalcaliskan sounds great! Let me know if you need any help.

[bilalcaliskan]

by the way i am currently working on that PR on https://github.com/bilalcaliskan/argo-cd/tree/feat/additional-rbac-configmaps which is my own fork from argoproj/argo-cd since i dont have push permission on the branch of that repository. Just a single code review recommendation left (#9976 (comment))

@crenshaw-dev Is it OK to implement that feature on different PR by marking notfromstatefarm and myself as co-authors? I am having trouble to decide how to proceed with that feature since we cant access to notfromstatefarm, so just wondering your opinion.

[leoluz]

We are facing a similar issue at Intuit and we require something similar. However I don't understand the reason of adding an additional configmap for that. I implemented a similar feature in a different PR using additional predefined keys in the same configmap.

Please take a look: #12511

The advantages of that approach are:

• doesn't require users to provide additional configmaps.
• backwards compatible
• easy to integrate with kustomize overlays
• simpler implementation

The cons are:

• can not handle RBAC csv's bigger than 1MiB which is the current limit of configmap
• requires config management setup (kustomize, helm, etc). Doesn't work with "JBOCM" concept(Just a bunch of ConfigMaps)

wdyt @jessesuen @jannfis @notfromstatefarm @crenshaw-dev

[jannfis]

I like that approach, @leoluz. It's simple enough to be useful for me.

As a con, I'd like to add: Requires some kind of config management tool such as Kustomize to leverage, as opposed to the "JBOCM" (Just a bunch of ConfigMaps) approach of the original PR.

[jannfis]

@leoluz Oh. And another one would maybe the etcd size limit for resources (thinking in terms of really huge amounts of RBAC rules to fit into a single ConfigMap resource).

[leoluz]

@jannfis Thank you! Updated my previous message with both cons.

btw.. Is JBOCM a thing? :D

[JorTurFer]

Hello,
Any update about this? This feature would be nice for our use case