Enabling the web based terminal in ArgoCD with fine grain access control.

[raion19]

Enabling the web based terminal in ArgoCD following this documentation:
https://argo-cd.readthedocs.io/en/latest/operator-manual/web_based_terminal/

We have realised that we can not define a deny policy for access to it. We tried to enable access to some users and deny access by default, but it didn't work. All users have access to the terminal and can exec commands on it even though we haven't explicitly granted the privilege.
Setting a deny all RBAC rule in the ArgoCD configmap does nothing, I still have access to the ArgoCD terminal.

From my policy.csv in argocd-rbac-cm configmap (deployed with the helm chart):

p, role:basic-role, exec , create, */*, deny    #deny all by default
p, role:myteam, exec, create, */*/test-549d8cb99d-ssgwt, allow   #allow access to a specific pod name

This is what we have for default base policy:

policy.default: role:basic-role

Is it possible to have a fine grain control access for a specific role?
How is this suppose to be done?
What are we doing wrong?

[robmarlow]

not sure if you resolved this but I was having a similiar issue. we put an implicit deny for all roles

p, role:writer, exec, create, *, deny

then added a implicit allow for the app we wanted to expose the terminal for

p, role:writer, exec, create, project/app, allow