Rbac policy to allow exec rights in specific namespaces

[rorobig]

Describe the bug

I'm trying to restrict terminal access via argocd to a few specific namespaces using the rbac policies. I've tried with normal policies and via project policies, however none of them seem to work.

I'm wondering if what I'm trying to achieve is impossible or if I'm doing something wrong.

Related helm chart

argo-cd

Helm chart version

7.4.4

To Reproduce

Create rbac policy to enable exec rights on the staging namespace. This should allow devs to see a terminal window in all applications in the staging namespace.

p, role:devs, exec, create, staging/*, allow

Expected behavior

I would expect to see the terminal window.

Screenshots

No response

Additional context

Using the wildcard like below works. It's only when I try to restrict to namespaces that it doesn't work.
p, role:devs, exec, create, *, allow

I also tried setting the policies on the project, but that doesn't work either.

spec:
  roles:
    # Developers role with exec permissions in the tst1 namespace
    - name: devs
      description: Allow developers to exec into pods in the tst1 namespace
      policies:
        - p, proj:project-ota:devs, exec, create, staging/*, allow
      groups:
        - devs

[yu-croco]

Hi @rorobig , since it's about Argo CD's specification, you can get more help in upstream.
*argo-helm is for providing a way to deploy argoproj to kubernetes cluster, but we don't focus on the specification of apps.