feat: Enable ApplicationFineGrainedRBACInheritance by default (argoproj-labs#1749)

* Enable ApplicationFineGrainedRBACInheritance by default

Signed-off-by: nmirasch <neus.miras@gmail.com>

* add documentation of default server.rbac.disableApplicationFineGrainedRBACInheritance value

Signed-off-by: nmirasch <neus.miras@gmail.com>

---------

Signed-off-by: nmirasch <neus.miras@gmail.com>

Author: nmirasch

common/keys.go

@@ -193,6 +193,10 @@ const (
 	// to used for the Redis container.
 	ArgoCDRedisImageEnvName = "ARGOCD_REDIS_IMAGE"
 
+	// ArgoCDServerRBACDisableFineGrainedInheritance is needed to specify if it is not possible to deny
+	// fine-grained permissions for a sub-resource if the action was explicitly allowed on the application
+	ArgoCDServerRBACDisableFineGrainedInheritance = "server.rbac.disableApplicationFineGrainedRBACInheritance"
+
 	// ArgoCDDeletionFinalizer is a finalizer to implement pre-delete hooks
 	ArgoCDDeletionFinalizer = "argoproj.io/finalizer"
 

controllers/argocd/configmap.go

@@ -443,6 +443,11 @@ func (r *ReconcileArgoCD) reconcileArgoConfigMap(cr *argoproj.ArgoCD) error {
 		}
 	}
 
+	// Check and set default value for server.rbac.disableApplicationFineGrainedRBACInheritance if not present
+	if _, exists := cm.Data[common.ArgoCDServerRBACDisableFineGrainedInheritance]; !exists {
+		cm.Data[common.ArgoCDServerRBACDisableFineGrainedInheritance] = "false"
+	}
+
 	if err := controllerutil.SetControllerReference(cr, cm, r.Scheme); err != nil {
 		return err
 	}

controllers/argocd/configmap_test.go

@@ -233,9 +233,10 @@ func TestReconcileArgoCD_reconcileArgoConfigMap(t *testing.T) {
 		"oidc.config":                        "",
 		"resource.inclusions":                "",
 		"resource.exclusions":                "",
-		"statusbadge.enabled":                "false",
-		"url":                                "https://argocd-server",
-		"users.anonymous.enabled":            "false",
+		"server.rbac.disableApplicationFineGrainedRBACInheritance": "false",
+		"statusbadge.enabled":     "false",
+		"url":                     "https://argocd-server",
+		"users.anonymous.enabled": "false",
 	}
 
 	cmdTests := []struct {

docs/reference/argocd.md

@@ -819,6 +819,14 @@ spec:
       g, system:cluster-admins, role:admin
     scopes: '[groups]'
 ```
+### Fine-Grained RBAC for application update and delete sub-resources (v3.0+)
+
+The default behavior of fine-grained policies have changed so they no longer apply to sub-resources. Prior to v3, policies granting update or delete to an application also applied to any of its sub-resources.
+
+Starting with v3, the update or delete actions only apply to the application itself. New policies must be defined to allow the update/* or delete/* actions on an Application's managed resources.
+
+To preserve v2 behavior the config value server.rbac.disableApplicationFineGrainedRBACInheritance is set to false in the Argo CD ConfigMap argocd-cm.
+
 
 ## Redis Options
 

tests/k8s/1-018_validate_extra_config/01-assert.yaml

@@ -14,4 +14,5 @@ kind: ConfigMap
 metadata:
   name: argocd-cm
 data:
-  admin.enabled: "true"
+  admin.enabled: "true"
+  server.rbac.disableApplicationFineGrainedRBACInheritance: "false"

tests/k8s/1-018_validate_extra_config/06-assert.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  server.rbac.disableApplicationFineGrainedRBACInheritance: "true"

tests/k8s/1-018_validate_extra_config/06-override-rbac-inheritance-using-extraconfig.yaml

@@ -0,0 +1,8 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: example-argocd
+spec:
+  disableAdmin: true
+  extraConfig:
+    "server.rbac.disableApplicationFineGrainedRBACInheritance": "true"