it08ankit
commented
1 year ago Any update on this?
Open kambman opened 1 year ago
it08ankit
commented
1 year ago Any update on this?
BinchenQ
commented
1 year ago I meet the same problem with keycloak, I join the user to group ArgoCDAdmins and add polocy in argocd-rbac-cm
g, ArgoCDAdmins, role:admin, same with the official docs: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/keycloak/ , but the permission of login user is always same with policy.default
if you add the rolebinding with sub ID, it works, but this is not expected.
Furthermore, any policy with fullname, email, or other Mapper data won't work.
pxp2863
commented
5 months ago facing same issue here, please share if anyone has resolution. Thanks in advance.
PajakAlexandre
commented
1 month ago Hello everyone,
I wanted to share the solution I found regarding the permissions issue when integrating Keycloak with Argo CD. Like others, I faced a problem where, even after adding users to Keycloak groups and configuring the policies in argocd-rbac-cm, the logged-in users always had the permissions defined by policy.default, and group-based permissions weren't being applied.
After some investigation, I discovered that the issue was with the formatting of the argocd-rbac-cm configuration. By properly formatting the RBAC policies, Argo CD was able to recognize the groups and assign the correct permissions.
Here's the configuration that worked for me:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
admin.enabled: "true"
application.instanceLabelKey: argocd.argoproj.io/instance
oidc.config: |
name: Keycloak
issuer: https://keycloak.example.com/realms/master
clientID: argocd
clientSecret: <oidc-client-secret>
requestedScopes: ["openid", "profile", "email", "groups"]
claimMappings:
email: email
groups: groups
url: https://argocd.example.com
server.rbac.log.enforce.enable: "true"apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
argocd.argoproj.io/instance: argocd-cm
data:
policy.csv: |
p, argocd-group-1, applications, *, test-project/*, allow
p, argocd-group-1, clusters, *, test-project/*, allow
p, argocd-group-1, repos, *, test-project/*, allow
p, argocd-group-1, roles, *, test-project/*, allow
p, argocd-group-1, users, *, test-project/*, allow
g, keycloak-group-1, argocd-group-1
p, argocd-group-2, applications, *, *, allow
p, argocd-group-2, clusters, *, *, allow
p, argocd-group-2, repos, *, *, allow
p, argocd-group-2, applications, *, *, allow
p, argocd-group-2, clusters, *, *, allow
p, argocd-group-2, repos, *, *, allow
g, keycloak-group-2, argocd-group-2
policy.default: role:''
policy.matchMode: glob
scopes: '[groups]'For more details on configuring RBAC policies in Argo CD, you can refer to the official documentation: RBAC Configuration
I have integrated okta with argocd and two groups are created for admin and developer in Active Directory (AD) group for organization. In 'argocd-rbac-cm' configmap, the permissions are not being reflected according to groups, Argocd is taking "policy.default: role:standard" role permissions instead of groups.
In argocd-rbac-cm configmap:
data: policy.csv: |- p, role:standard, applications, get, /, allow p, role:standard, applications, update, /, allow p, role:standard, applications, action/, /, allow p, role:standard, applications, sync, /, allow p, role:standard, certificates, get, , allow p, role:standard, clusters, get, , allow p, role:standard, repositories, get, , allow p, role:standard, projects, get, , allow p, role:standard, accounts, get, , allow p, role:standard, gpgkeys, get, *, allow
policy.default: role:standard scopes: '[email,Groups]' kind: ConfigMap
In argocd-cm configmap:
data: exec.enabled: "true" oidc.config: | name: Okta issuer:
clientID:
clientSecret:
requestedScopes: ["openid", "profile", "email", "Groups"]
requestedIDTokenClaims: {"Groups": {"essential": true}}
url:
kind: ConfigMap