diff --git a/docs/operator-manual/upgrading/2.14-3.0.md b/docs/operator-manual/upgrading/2.14-3.0.md index 7d007857e228c..d583a16363117 100644 --- a/docs/operator-manual/upgrading/2.14-3.0.md +++ b/docs/operator-manual/upgrading/2.14-3.0.md @@ -35,25 +35,27 @@ Starting from 3.0, this flag is removed and the logs RBAC is enforced by default #### Detection -Users who have `server.rbac.log.enforce.enable: "true"` in their `argocd-cm` ConfigMap, are unaffected by this change. +Users who have `server.rbac.log.enforce.enable: "true"` in their `argocd-cm` ConfigMap, are unaffected by this change. -Users who have `policy.default: role:readonly` or `policy.default: role:admin` in their `argocd-rbac-cm` ConfigMap, are unaffected. +Users who have `policy.default: role:readonly` or `policy.default: role:admin` in their `argocd-rbac-cm` ConfigMap, are unaffected. -Users who don't have a `policy.default` in their `argocd-rbac-cm` ConfigMap, and either have `server.rbac.log.enforce.enable` set to `false` or don't have this setting at all in their `argocd-cm` ConfigMap are affected and should perform the below remediation steps. +Users who don't have a `policy.default` in their `argocd-rbac-cm` ConfigMap, and either have `server.rbac.log.enforce.enable` set to `false` or don't have this setting at all in their `argocd-cm` ConfigMap are affected and should perform the below remediation steps. -After the upgrade, it is recommended to remove the setting `server.rbac.log.enforce.enable` from `argocd-cm` ConfigMap, if it was there before the upgrade. +After the upgrade, it is recommended to remove the setting `server.rbac.log.enforce.enable` from `argocd-cm` ConfigMap, if it was there before the upgrade. #### Remediation -##### Quick remediation (global change) -For users with an existing default policy with a custom role, add this policy to `policy.csv` for your custom role: `p, role:, logs, get, */*, allow`. -For users without a default policy, add this policy to `policy.csv`: `p, role:global-log-viewer, logs, get, */*, allow` and add the default policy for this role: `policy.default: role:global-log-viewer` +##### Quick remediation (global change) + +For users with an existing default policy with a custom role, add this policy to `policy.csv` for your custom role: `p, role:, logs, get, */*, allow`. +For users without a default policy, add this policy to `policy.csv`: `p, role:global-log-viewer, logs, get, */*, allow` and add the default policy for this role: `policy.default: role:global-log-viewer` ##### Recommended remediation (per-policy change) -Explicitly add a `logs, get` policy to every role that has a policy for `applications, get` or for `applications, *`. -This is the recommended way to maintain the principle of least privilege. -Similar to the way access to Applications are currently managed, access to logs can be either granted on a Project scope level (Project resource) or on the `argocd-rbac-cm` ConfigMap level. -See this [example](../upgrading/2.3-2.4.md#example-1) for more details. + +Explicitly add a `logs, get` policy to every role that has a policy for `applications, get` or for `applications, *`. +This is the recommended way to maintain the principle of least privilege. +Similar to the way access to Applications are currently managed, access to logs can be either granted on a Project scope level (Project resource) or on the `argocd-rbac-cm` ConfigMap level. +See this [example](../upgrading/2.3-2.4.md#example-1) for more details. ### Default `resource.exclusions` configurations @@ -63,7 +65,7 @@ which we exclude for performance reasons, reducing connections and load to the K The excluded Kinds are: -- **Kubernetes Resources**: `Endpoints`, `EndpointSlice`, `APIService`, `Lease`, `SelfSubjectReview`, `TokenReview`, `LocalSubjectAccessReview`, `SelfSubjectAccessReview`, `SelfSubjectRulesReview`, `SubjectAccessReview`, `CertificateSigningRequest`, `PolicyReport` and `ClusterPolicyReport`. +- **Kubernetes Resources**: `Endpoints`, `EndpointSlice`, `Lease`, `SelfSubjectReview`, `TokenReview`, `LocalSubjectAccessReview`, `SelfSubjectAccessReview`, `SelfSubjectRulesReview`, `SubjectAccessReview`, `CertificateSigningRequest`, `PolicyReport` and `ClusterPolicyReport`. - **Cert Manager**: `CertificateRequest`. - **Kyverno**: `EphemeralReport`, `ClusterEphemeralReport`, `AdmissionReport`, `ClusterAdmissionReport`, `BackgroundScanReport`, `ClusterBackgroundScanReport` and `UpdateRequest`. - **Cilium**: `CiliumIdentity`, `CiliumEndpoint` and `CiliumEndpointSlice`. @@ -216,26 +218,28 @@ spec: namespace: guestbook ``` -### Upgraded Helm version with breaking changes -Helm was upgraded to 3.17.1. -This may require changing your `values.yaml` files for subcharts, if the `values.yaml` contain a section with a `null` object. -See related issue in [Helm GitHub repository](https://github.com/helm/helm/issues/12469) -See Helm 3.17.1 [release notes](https://github.com/helm/helm/releases/tag/v3.17.1) -Example of such a [problem and resolution](https://github.com/argoproj/argo-cd/pull/22035/files) +### Upgraded Helm version with breaking changes + +Helm was upgraded to 3.17.1. +This may require changing your `values.yaml` files for subcharts, if the `values.yaml` contain a section with a `null` object. +See related issue in [Helm GitHub repository](https://github.com/helm/helm/issues/12469) +See Helm 3.17.1 [release notes](https://github.com/helm/helm/releases/tag/v3.17.1) +Example of such a [problem and resolution](https://github.com/argoproj/argo-cd/pull/22035/files) Explanation: + - Prior to Helm 3.17.1, `null` object in `values.yaml` resulted in a warning: `cannot overwrite table with non table` upon performing `helm template`, and the resulting K8s object was not overridden with the invalid `null` value. - In Helm 3.17.1, this behavior changed and `null` object in `values.yaml` still results in this warning upon performing `helm template`, but the resulting K8s object will be overridden with the invalid `null` value. -- To resolve the issue, identify `values.yaml` with `null` object values, and remove those `null` values. +- To resolve the issue, identify `values.yaml` with `null` object values, and remove those `null` values. ### Use Annotation-Based Tracking by Default -The default behavior for [tracking resources](../../user-guide/resource_tracking.md) has changed to use annotation-based -tracking instead of label-based tracking. Annotation-based tracking is more reliable and less prone to errors caused by +The default behavior for [tracking resources](../../user-guide/resource_tracking.md) has changed to use annotation-based +tracking instead of label-based tracking. Annotation-based tracking is more reliable and less prone to errors caused by external code copying tracking labels from one resource to another. #### Detection -To detect if you are impacted, check the `argocd-cm` ConfigMap for the `application.resourceTrackingMethod` field. If it +To detect if you are impacted, check the `argocd-cm` ConfigMap for the `application.resourceTrackingMethod` field. If it unset or is set to `label`, you are using label-based tracking. If it is set to `annotation`, you are already using annotation-based tracking and are not impacted by this change. diff --git a/manifests/base/config/argocd-cm.yaml b/manifests/base/config/argocd-cm.yaml index f935337f03b13..393d3fe657b26 100644 --- a/manifests/base/config/argocd-cm.yaml +++ b/manifests/base/config/argocd-cm.yaml @@ -70,10 +70,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/core-install-with-hydrator.yaml b/manifests/core-install-with-hydrator.yaml index 208de4f4d87e9..5a54ca743e891 100644 --- a/manifests/core-install-with-hydrator.yaml +++ b/manifests/core-install-with-hydrator.yaml @@ -24269,10 +24269,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index 43a7151b37ecf..fe6a9e0dccbe8 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -24260,10 +24260,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/ha/install-with-hydrator.yaml b/manifests/ha/install-with-hydrator.yaml index 8d779384407a7..cd261650e14a0 100644 --- a/manifests/ha/install-with-hydrator.yaml +++ b/manifests/ha/install-with-hydrator.yaml @@ -24678,10 +24678,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 5e1211fb3ac3e..d9831bd858289 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -24669,10 +24669,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/ha/namespace-install-with-hydrator.yaml b/manifests/ha/namespace-install-with-hydrator.yaml index 034b8f90aef2a..a4eb47bca8dc0 100644 --- a/manifests/ha/namespace-install-with-hydrator.yaml +++ b/manifests/ha/namespace-install-with-hydrator.yaml @@ -513,10 +513,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index 41426c32135b7..63ed607b28730 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -504,10 +504,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/install-with-hydrator.yaml b/manifests/install-with-hydrator.yaml index b8df9d34ff6aa..c965d2fc460f9 100644 --- a/manifests/install-with-hydrator.yaml +++ b/manifests/install-with-hydrator.yaml @@ -24629,10 +24629,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/install.yaml b/manifests/install.yaml index a65e79c66f4f8..dac2f531e5463 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -24620,10 +24620,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/namespace-install-with-hydrator.yaml b/manifests/namespace-install-with-hydrator.yaml index 187c80cf91bdb..cfbbbdb406f92 100644 --- a/manifests/namespace-install-with-hydrator.yaml +++ b/manifests/namespace-install-with-hydrator.yaml @@ -464,10 +464,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index db028431acce5..85aee13abdc58 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -455,10 +455,6 @@ data: - Endpoints - EndpointSlice ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - apiregistration.k8s.io - kinds: - - APIService - apiGroups: - coordination.k8s.io kinds: