Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to disable https://kubernetes.default.svc #7571

Closed
jessesuen opened this issue Oct 28, 2021 · 6 comments · Fixed by #7620
Closed

Ability to disable https://kubernetes.default.svc #7571

jessesuen opened this issue Oct 28, 2021 · 6 comments · Fixed by #7620
Assignees
@terrytangyuan
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@jessesuen
Copy link
Member

jessesuen commented Oct 28, 2021
edited
Loading

Summary

Many users run Argo CD in a mode where that Argo CD instance doesn't ever need or want to deploy Applications to the same cluster Argo CD is running in (e.g. Intuit does this). For these users, the https://kubernetes.default.svc should be disabled and removed as an option.

Motivation

The ability to disable https://kubernetes.default.svc is both a security improvement as well as usability improvement since end-users do not see cluster which they cannot use.

Proposal

Argo CD should have an option to disable https://kubernetes.default.svc as a managed cluster so that it becomes impossible to deploy to.
@jessesuen jessesuen added enhancement New feature or request good first issue Good for newcomers labels Oct 28, 2021
@dirien
Copy link
Contributor

dirien commented Oct 28, 2021
edited
Loading

Wow thats an interesting request. Happy to help.

@jessesuen
Copy link
Member Author

Changes probably needed here:

argo-cd/util/db/cluster.go

Lines 55 to 79 in fe3cc72

func (db *db) ListClusters(ctx context.Context) (*appv1.ClusterList, error) {
clusterSecrets, err := db.listSecretsByType(common.LabelValueSecretTypeCluster)
if err != nil {
return nil, err
}
clusterList := appv1.ClusterList{
Items: make([]appv1.Cluster, 0),
}
hasInClusterCredentials := false
for _, clusterSecret := range clusterSecrets {
cluster, err := secretToCluster(clusterSecret)
if err != nil {
log.Errorf("could not unmarshal cluster secret %s", clusterSecret.Name)
continue
}
clusterList.Items = append(clusterList.Items, *cluster)
if cluster.Server == appv1.KubernetesInternalAPIServerAddr {
hasInClusterCredentials = true
}
}
if !hasInClusterCredentials {
clusterList.Items = append(clusterList.Items, *db.getLocalCluster())
}
return &clusterList, nil
}

@pixelsoccupied
Copy link

Hi there, to reiterate -- if the user provides https://kubernetes.default.svc with .spec.destination.server or with cli --dest-server https://kubernetes.default.svc we would need to check need if there's a (new?) flag present before we proceed. If there's no flag just go on with the usual flow else log an error?

Could you talk a bit more about this flag/option to disable https://kubernetes.default.svc? Would the the user provide it during installation only? Or would there be a UI/CR/CLI/post-installation way as well? What would the flag be called?

@terrytangyuan
Copy link
Member

terrytangyuan commented Nov 4, 2021
edited
Loading

@pixelsoccupied This will be a new key, e.g. "inClusterServerAddressAllowed", in ArgoCD ConfigMap so you can update it on the fly as well.

@terrytangyuan terrytangyuan mentioned this issue Nov 4, 2021
Merged
10 tasks
@terrytangyuan
Copy link
Member

I created a draft PR in #7620. Feel free to leave your feedback there.

terrytangyuan added a commit to terrytangyuan/argo-cd that referenced this issue Feb 4, 2022
@terrytangyuan
feat: Allow to disable in-cluster server address. Fixes argoproj#7571
f4b4f7a 
Signed-off-by: Yuan Tang <[email protected]>
jessesuen pushed a commit that referenced this issue Feb 16, 2022
@terrytangyuan
feat: Ability to disable in-cluster server address. Fixes #7571 (#7620)
c86a2dd 
Signed-off-by: Yuan Tang <[email protected]>
gdsoumya pushed a commit to gdsoumya/argo-cd that referenced this issue Feb 23, 2022
@terrytangyuan @gdsoumya
feat: Ability to disable in-cluster server address. Fixes argoproj#7571
10736ad 
… (argoproj#7620)

Signed-off-by: Yuan Tang <[email protected]>
wojtekidd pushed a commit to wojtekidd/argo-cd that referenced this issue Apr 25, 2022
@terrytangyuan @wojtekidd
feat: Ability to disable in-cluster server address. Fixes argoproj#7571
9c64a33 
… (argoproj#7620)

Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: wojtekidd <[email protected]>
@vhsantos vhsantos mentioned this issue Aug 29, 2022
Open
@agaudreault
Copy link
Member

agaudreault commented Dec 17, 2024
edited
Loading

This does not seem to prevent Application from being created using this cluster. The only thing it is doing iis hiding the cluster from the list of available clusters. #21207

As it is documented, it would seem that this feature should prevent new applications from being created and should not sync existing applications with the in-cluster destination.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrytangyuan terrytangyuan

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Allow to disable in-cluster server address. Fixes #7571 terrytangyuan/argo-cd
5 participants
@terrytangyuan @jessesuen @pixelsoccupied @dirien @agaudreault