In this post, we will learn how to create new users and manage RBAC Configuration on ArgoCD.
By default, ArgoCD provides you with an admin user that has full access to the system. There is no problem if you work alone, but when your team scale, the boss will ask you: “Is there a way for developers to check logs on ArgoCD without asking you for help?”. You can’t provide a user admin to developers, so we have to create a new user account and assign it the appropriate permissions.
Create new account
In ArgoCD creating a new account is quite simple, we just need to manipulate the ConfigMap named argocd-cm
in the namespace where we install ArgoCD, for example, if we install it in the namespace argocd
, the default configuration is argocd-cm
as follows:
1 2 3 4 5 6 7 8 9 10 11 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">labels</span><span class="token punctuation">:</span> <span class="token key atrule">app.kubernetes.io/name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>cm <span class="token key atrule">app.kubernetes.io/part-of</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">url</span><span class="token punctuation">:</span> https<span class="token punctuation">:</span>//argocd.example.com |
You copy the default configuration and create a file named argocd-cm.yaml
then paste the above configuration snippet. Next, we update argocd-cm to create a user with the username hanli.
1 2 3 4 5 6 7 8 9 10 11 12 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">labels</span><span class="token punctuation">:</span> <span class="token key atrule">app.kubernetes.io/name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>cm <span class="token key atrule">app.kubernetes.io/part-of</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">url</span><span class="token punctuation">:</span> https<span class="token punctuation">:</span>//argocd.example.com <span class="token key atrule">accounts.hanli</span><span class="token punctuation">:</span> login |
In the data property of the argocd-cm
ConfigMap, we declare the user we want to create, the format is as follows:
1 2 | <span class="token key atrule">accounts.<username></span><span class="token punctuation">:</span> <capabilities<span class="token punctuation">></span> |
Each user might have two capabilities:
- apiKey – allows generating authentication tokens for API access
- login – allows to login using UI
In the above configuration, we named the user hanli and it only can log in. Next, we update the ConfigMap.
1 2 | kubectl apply -f argocd-cm.yaml |
ArgoCD will create a new user named hanli. Next, we need to set the password for the user hanli so that it can log in to ArgoCD, we run the following command.
1 2 | argocd account update-password --account hanli --new-password hanli --current-password <span class="token operator"><</span>admin-password<span class="token operator">></span> --grpc-web |
The value of the current-password
is the admin’s password. Now, the user hanli can log in to ArgoCD, open the ArgoCD UI and log in.
With the username and password as hanli that we have configured above. By default, when we create a new user, it only has read-only permissions, and can not perform any other actions. For example, the user hanli needs to restart Deployment so that all Pods of that Deployment are updated to the new ConfigMap, but it can not.
Next, we will learn how to assign permissions to users on ArgoCD.
RBAC Configuration
To set additional RBAC roles for users, we will manipulate the ConfigMap named argocd-rbac-cm
, its default configuration is as follows.
1 2 3 4 5 6 7 8 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>rbac<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">policy.default</span><span class="token punctuation">:</span> role<span class="token punctuation">:</span>readonly |
As we can see it will have a field of policy.default: role:readonly
, this field will grant read-only permission to the user if that user is not granted permission anywhere. Copy and paste it into a file named argocd-rbac-cm.yaml
, to grant permission to a user, we will add a field named policy.csv
as follows:
1 2 3 4 5 6 7 8 9 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>rbac<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">policy.default</span><span class="token punctuation">:</span> role<span class="token punctuation">:</span>readonly <span class="token key atrule">policy.csv</span><span class="token punctuation">:</span> <span class="token punctuation">|</span> |
We will define permissions in the field policy.csv
with the format.
1 2 | p, <role/user/group>, <resource>, <action>, <object> |
Or
1 2 | p, <role/user/group>, <resource>, <action>, <appproject>/<object> |
The <role/user/group>
is the name of the role or user or group.
Resources: clusters, projects, applications, repositories, certificates, accounts, gpgkeys, logs, exec
Actions: get, create, update, delete, sync, override, action/<group/kind/action-name>
We want the user to have permission to restart Deployment, then we will format it as follows.
1 2 3 4 5 6 7 8 9 10 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>rbac<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">policy.default</span><span class="token punctuation">:</span> role<span class="token punctuation">:</span>readonly <span class="token key atrule">policy.csv</span><span class="token punctuation">:</span> <span class="token punctuation">|</span><span class="token scalar string"> p, hanli, applications, action/apps/Deployment/restart, default/*, allow</span> |
The resource we will leave is applications, and with the action in the format action/<group/kind/action-name>
, then we will have the action to restart the Deployment as action/apps/Deployment/restart
.
Next, the value <object>
we leave is default/*
, by default when we install ArgoCD, it will have a project named default, and if we do not create more projects, all applications that we are running will be in this default project. And the value default/*
means that we want this permission to be applied to the entire application in the default project.
If you want to limit it to one application, declare it as default/<application-name>
.
However, if we have many users, we need to copy all the above permissions, now our ConfigMap will be quite verbose, for example:
1 2 3 4 5 6 7 8 9 10 11 12 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>rbac<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">policy.default</span><span class="token punctuation">:</span> role<span class="token punctuation">:</span>readonly <span class="token key atrule">policy.csv</span><span class="token punctuation">:</span> <span class="token punctuation">|</span><span class="token scalar string"> p, hanli, applications, action/apps/Deployment/restart, default/*, allow p, natsu, applications, action/apps/Deployment/restart, default/*, allow p, lucy, applications, action/apps/Deployment/restart, default/*, allow</span> |
We can shorten it by creating a common role and assigning it to different users, for example like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ConfigMap <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> argocd<span class="token punctuation">-</span>rbac<span class="token punctuation">-</span>cm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> argocd <span class="token key atrule">data</span><span class="token punctuation">:</span> <span class="token key atrule">policy.default</span><span class="token punctuation">:</span> role<span class="token punctuation">:</span>readonly <span class="token key atrule">policy.csv</span><span class="token punctuation">:</span> <span class="token punctuation">|</span><span class="token scalar string"> p, role:deployment-restart, applications, action/apps/Deployment/restart, default/*, allow</span> g<span class="token punctuation">,</span> hanli<span class="token punctuation">,</span> role<span class="token punctuation">:</span>deployment<span class="token punctuation">-</span>restart g<span class="token punctuation">,</span> natsu<span class="token punctuation">,</span> role<span class="token punctuation">:</span>deployment<span class="token punctuation">-</span>restart g<span class="token punctuation">,</span> lucy<span class="token punctuation">,</span> role<span class="token punctuation">:</span>deployment<span class="token punctuation">-</span>restart |
Update the argocd-rbac-cmConfigMap, our user will have the corresponding permissions.
1 2 | kubectl apply -f argocd-rbac-cm.yaml |
Done. Please like the DevOps VN page to receive notifications of the earliest posts.
Conclusion
So we have learned how to create users and manage RBAC Configuration on ArgoCD, you can read more on here RBAC Configuration. If you have any questions or need more clarification, you can ask in the comment section below.