search

argoproj-labs / argocd-image-updater

Automatic container image update for Argo CD
https://argocd-image-updater.readthedocs.io/en/stable/
Apache License 2.0
1.26k stars 259 forks source link

Docs for Granting RBAC permissions in Argo CD #267

Open sj-porter-knime opened 3 years ago

sj-porter-knime commented 3 years ago

Describe the bug This documentation details the code required to grant RBAC permissions in Argo CD, however, it does not show where that code needs to be placed inside the argocd-rbac-cm ConfigMap.

To Reproduce Steps to reproduce the behavior:

Expected behavior

Version Stable (as of Sept. 30, 2021).

sj-porter-knime commented 3 years ago

It looks like I can't push a branch, otherwise I'd submit a PR. Here's my recommended change to the docs (assuming that my understanding of where to put the RBAC permissions inside the ConfigMap is correct):

Granting RBAC permissions in Argo CD

The technical user image-updater we have configured in the previous step now needs appropriate RBAC permissions within Argo CD. Argo CD Image Updater needs the update and get permissions on the applications you want to manage.

A most basic version that grants get and update permissions on all of the applications managed by Argo CD might look as follows:

data:
  policy.default: role:readonly
  policy.csv: |
    p, role:image-updater, applications, get, */*, allow
    p, role:image-updater, applications, update, */*, allow
    g, image-updater, role:image-updater

The permissions can be further restricted to apps in a specific project, or to specific apps.

Edit the argocd-rbac-cm ConfigMap and Argo CD will pick up the changes automatically.

jannfis commented 3 years ago

Hey @sj-porter-knime, thanks for this suggestion.

In order to submit a PR, you need to fork this repository, push the changes to your fork (a dedicated branch for this is recommended), and then open the PR to merge the branch from your fork into this repository.