Skip to content

Feature Request: Option to Disable Patch/Delete Permissions for Argo CD Server in Read-Only Mode #3594

New issue
New issue
Open
Open
Feature Request: Option to Disable Patch/Delete Permissions for Argo CD Server in Read-Only Mode#3594
Labels
enhancementNew feature or request
@iakashraut

Description

@iakashraut
iakashraut
opened on Nov 19, 2025

Is your feature request related to a problem?

Yes. When using Argo CD in read-only mode, the default Helm chart still assigns broad patch/delete permissions to the argocd-server service account. These permissions are unnecessary for our use case and fail internal security/RBAC reviews.

Related helm chart

argo-cd

Describe the solution you'd like

I would like a Helm chart option (e.g., server.rbac.minimal: true) that generates a reduced-privilege ClusterRole for argocd-server, removing wildcard patch and delete permissions when Argo CD is running in read-only mode.

Describe alternatives you've considered

The only alternative is to manually override or recreate the argocd-server ClusterRole with reduced permissions, but this is not ideal because it requires maintaining custom RBAC outside the Helm chart and can break during upgrades.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions