Application RBAC¶
The RBAC syntax for Application objects has been changed from
<project>/<application>to<project>/<namespace>/<application>to accommodate the need to restrict access based on the source namespace of the Application to be managed.For backwards compatibility, Applications in the
argocdnamespace can still be refered to as<project>/<application>in the RBAC policy rules.Wildcards do not make any distinction between project and application namespaces yet. For example, the following RBAC rule would match any application belonging to project
foo, regardless of the namespace it is created in:p, somerole, applications, get, foo/*, allowIf you want to restrict access to be granted only to
Applicationsin projectfoowithin namespacebar, the rule would need to be adapted as follows:p, somerole, applications, get, foo/bar/*, allow
This is the argocd docomentaion for version 2.13. i have the same version, but no matter how i play it i can't make the namespace to be the deciding factor for permissions. i only can filter by app name or project name. can you help me underastand what am i missing?
this is my policy:
role:todo, *, *, */monitoring/*, allow.
i want to allow the group todo to be able to see and change only resources in k8s namespace 'monitoring'. but it doesnt work. i get nothing for those users, as i dont have any application with this name.
it interprets it as project-name/application-name
instead of project-name/namespace/application-name as the documentation shows
