Replies: 2 comments
-
|
@reggie-k, work-in-progress proposal for project inheritance / App-of-Projects restrictions: #9992 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Thanks a lot, will look into it thoroughly Sunday
…On Thu, Jul 14, 2022, 19:40 Michael Crenshaw ***@***.***> wrote:
@reggie-k <https://github.com/reggie-k>, work-in-progress proposal for
project inheritance / App-of-Projects restrictions: #9992
<#9992>
—
Reply to this email directly, view it on GitHub
<#8031 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEVDWBG3HLBXLUFJXF4ZJJLVUA7HPANCNFSM5KVCVZ5A>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
With RBAC for ArgoCD applications, and latest changes with repositories and clusters that developers can configure for themselves, being independent of ArgoCD admins, and having a self-service approach to AppProject creation and management seems beneficial.
Something similar to ApplicationSet for AppProjects (AppProjectSet?) combined with RBAC might achieve this goal.
As an admin, I would like to define what values can be filled in a template for AppProject (similar to the AppSet generators), and then define some project templates for the developers.
The developers then will be able to fill values in those templates, and will need ArgoCD RBAC to allow them managing only AppProjects from those templates (maybe such template might be a new RBAC resource and AppProject might be then a subresource of the template).
The approach will allow me, as an admin, to protect the cluster in terms of setting the whitelist of allowed cluster-scoped resources the developers can touch, and potentially define a regex of allowed target namespaces for the AppProj , while letting the developers create the AppProjects themselves and also manage themselves which other users/groups will be on the AppProject role. The developers might also fill values for their target ns name, by the regex an admin set on the template.
Kind of a freedom in a well-defined boundaries.
Beta Was this translation helpful? Give feedback.
All reactions