Support resource filtering in Application controller

[alexmt]

There are some cases when users don't want Argo CD to touch some cluster resources:

• Temporal issues with installed extension api-server. Filter could be use to exclude problematic resource (Failed to sync cluster #1006 )
• Some users install Argo CD to manage only namespace resources and don't want to give cluster wide access.

It would be useful to support application controller configuration which allows excluding some resources.

I would propose to add excludedResources settings to argocd-cm with the following fields:

• group, kind - excluded resource group and kind ( should support wildcard matching )
• scope - optional field which takes on of following values: any, namespaced, cluster-wide
• clusterURL - optional field to narrow filtering to a single cluster

Example:

excludedResources:
  - group: istio.io
    kind: *
  - scope: cluster-wide
  - group: calico
    kind: *
    clusterURL: https://mycluster.com:443

[alexmt]

Note: if api extension server is down then discovery api does not work as well. We will have to stop using disco.ServerPreferredResources() in kube.go to avoid listing resources for filtered out groups.

[jessesuen]

Note: if api extension server is down then discovery api does not work as well. We will have to stop using disco.ServerPreferredResources() in kube.go to avoid listing resources for filtered out groups.

Luckily the disco.ServerPreferredResources() method will return partially complete list of api resources, so we don't need to go that route and continue using the standard go-client interfaces.

Some users install Argo CD to manage only namespace resources and don't want to give cluster wide access.

I actually feel this is a bit contrived use case and I don't think we need to do anything here.

I would propose to add excludedResources settings to argocd-cm with the following fields:

Can we make the datastructure more similar to K8s RBAC rules where groups/kinds are a list? Examples:

excludedResources:
  # exclude all servicecatalog.k8s.io kinds
  - apiGroups:
    - servicecatalog.k8s.io
    kinds:
    - *
  # exclude NeworkPolicy
  - apiGroups:
    - extensions
    - networking.k8s.io
    kinds:
    - NetworkPolicy
  # exclude Secrets, but only from https://mycluster.com:443
  - apiGroups:
    - ""
    kinds:
    - Secret
    clusters:
    - https://mycluster.com:443

[jutley]

@jessesuen

Some users install Argo CD to manage only namespace resources and don't want to give cluster wide access.

I actually feel this is a bit contrived use case and I don't think we need to do anything here.

I don't think this is a contrived example. At my org, we want to use ArgoCD within namespaces that opt in. This is for security reasons, so that we can ensure that ArgoCD cannot be used to manipulate any cluster resources or namespaced resources outside the intended namespace. I'd like to see namespace-based inclusion/exclusion rules supported.

[alexmt]

I agree. @jessesuen, creating a ticket to support it unless you have strong objections.