-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ArgoCD should support attributes that can explicitly disable application deletion and syncing #16063
Comments
A deny sync window should get you some of the way there already, this would protect against syncs at least. It might be worth extending the sync window functionality to protect against [manual] deletions as well? |
For one thing, sync windows documentation page mentions only AppProjects. Are they applicable to individual Applications too? Other than that, yes, sync windows, if they can be applied on per-application basis, can pretty much solve the problem, including, it seems, the separation of automated and manual syncs. Extending this to deletion, even with the same set of possible configuration attributes, would solve the deletion problem too. And there is likely a good possibility of code reuse to make both syncWindows and deleteWindows use the same code to calculate the allow/deny decision. |
Sadly no 😞 Implementing #11755 would be a nice way of achieving this, but there's the matter of who/when would implement this... |
Duplicate of #10301 |
This is an important feature, we have managing core system components by ArgoCD If we can have delete protection for applications, this could prevent any deletion accidentally |
Summary
There should be a way to explicitly block application deletion and syncing, regardless of what sequence of actions leads to them, using attributes in the Application object spec.
Motivation
There are many types of applications whose accidental deletion may result in a disaster: mission-critical applications, the "applications" application, applications that contain persistent volumes, application that manages ArgoCD itself etc.
Human errors happen.
There are multiple possibilities to trigger an unwanted deletion: from deleting a wrong application via the web UI (and even confirming it by typing the app name in the input field, which is a mistake easily made after a long day) to a poorly carried out migration of ArgoCD from cluster to cluster when one of the instances begins removing everything that it manages.
There are also situations when an unwanted sync may lead to a disaster, e.g., manifest path erroneously set to a wrong location and either auto-sync being enabled or the operator not checking the manifest diff before clicking Sync manually.
Application manifests often include namespace objects. If such an object is deleted following an accidental application deletion or syncing to a wrong set of manifests, then it can also be a disaster, such as losing data on persistent volumes that will be deleted following the deletion of the namespace, as well as losing state kept in CRD-managed objects.
The possibility to explicitly disable app deletion and sync would be similar in its purpose to, for example, the instance termination protection or the RDS deletion protection attributes supported by AWS which serve as an additional safeguard against accidental resource termination by both humans and automated resource management tools.
Proposal
The
automated
section is for the decisions made by ArgoCD itself. The rest are for externally triggered actions. The reason why I am proposing to make separate declarations forcli
andweb
is because the former is often used for external CI/CD workflows which are non-interactive with regards to human presence, and the latter is more likely to be used by humans, so they will serve different use cases.This would create a unified, easy to use and consistent method of specifying a set of human-readable unambiguous attributes as part of the application spec (as opposed to annotations which are generally harder to understand and track) to protect mission-critical resources regardless of whether the applications are standalone or managed by appsets.
There are quite a few related issues already, including, but not limited to:
Some are related to either bugs or misunderstanding of how the existing features work:
I believe that most of them, as far as the day-to-day practical use cases are concerned, could be solved by adding two simple boolean
isDeletionAllowed(app_id)
andisSyncAllowed(app_id)
functions that check the application's attributes proposed above and using them just before the deletion and sync procedures are normally called.Besides, this can provide an additional layer of security: currently a malicious actor, having obtained admin access to the ArgoCD web UI, can cause total destruction purely by the UI's own means. If the proposed enhancement is implemented, then there will be no way of destroying or changing protected applications, unless access to the repository holding the app definitions is obtained as well. The option to edit app manifests in the web UI remains, however, but it can (should?) respect either the deletion or sync policy to grant or deny access (see also #9031).
The text was updated successfully, but these errors were encountered: