Skip to content

Commit

Permalink
docs(rbac): clarify glob pattern behavior for fine-grain RBAC (#20624) (
Browse files Browse the repository at this point in the history 
#20627)

Signed-off-by: Michael Crenshaw <[email protected]>
Co-authored-by: Michael Crenshaw <[email protected]>
  • Loading branch information
@gcp-cherry-pick-bot @crenshaw-dev
gcp-cherry-pick-bot[bot] and crenshaw-dev authored Oct 31, 2024
1 parent e48878b commit 0cae929
Showing 1 changed file with 13 additions and 3 deletions.
16 changes: 13 additions & 3 deletions docs/operator-manual/rbac.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,19 @@ To do so, when the action if performed on an application's resource, the `<actio
For instance, to grant access to `example-user` to only delete Pods in the `prod-app` Application, the policy could be:

```csv
p, example-user, applications, delete/*/Pod/*, default/prod-app, allow
p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
```

!!!warning "Understand glob pattern behavior"

Argo CD RBAC does not use `/` as a separator when evaluating glob patterns. So the pattern `delete/*/kind/*`
will match `delete/<group>/kind/<namespace>/<name>` but also `delete/<group>/<kind>/kind/<name>`.

The fact that both of these match will generally not be a problem, because resource kinds generally contain capital
letters, and namespaces cannot contain capital letters. However, it is possible for a resource kind to be lowercase.
So it is better to just always include all the parts of the resource in the pattern (in other words, always use four
slashes).

If we want to grant access to the user to update all resources of an application, but not the application itself:

```csv
Expand All @@ -135,7 +145,7 @@ If we want to explicitly deny delete of the application, but allow the user to d

```csv
p, example-user, applications, delete, default/prod-app, deny
p, example-user, applications, delete/*/Pod/*, default/prod-app, allow
p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
```

!!! note
Expand All @@ -145,7 +155,7 @@ p, example-user, applications, delete/*/Pod/*, default/prod-app, allow

```csv
p, example-user, applications, delete, default/prod-app, allow
p, example-user, applications, delete/*/Pod/*, default/prod-app, deny
p, example-user, applications, delete/*/Pod/*/*, default/prod-app, deny
```

#### The `action` action
Expand Down

0 comments on commit 0cae929

Please sign in to comment.