Open ravindraprasad85 opened 4 months ago
I made changes to the rbac documentation to clarify it. Maybe https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#application-specific-policy will help you.
For namespace restriction within an Application, you should use https://argo-cd.readthedocs.io/en/latest/user-guide/projects/#projects.
Something like this is probably what you want (needs testing)
For example, if I want my group Developers to deploy/manage anything in the mars namespace in every cluster I would do something like this
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: mars
spec:
clusterResourceWhitelist:
- group: '*'
kind: '*'
destinations:
- namespace: 'mars'
server: '*'
sourceRepos:
- '*'
roles:
- description: Manage anything in the mars namespace
name: mars-developer
policies:
- p, proj:mars:mars-developer, *, *, mars/*, allow
groups:
- Developers
I do have my (PROD) ArgoCD cluster deployed in Kubernetes cluster using helm, ArgoCD Version 2.9.3 . It running in HA mode with redis HA . Its controlling more than 10 clusters (Prod/Dev/UAT) currently & 10 Repos. I do have more than 100 Apps running in that cluster. Now i needs to control the different teams in Dev cluster and their namespace wise. They should be able to perform anything in their namespace only where the applicationsets/applications running. Client application installed in Argocd cluster Namespace: "ccid-argocd"
Dev Cluster --> Team: A & namespace: A Dev Cluster --> Team: B & namespace: B
I have tried to write the RBAC policies by following https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
currently ARGOCD is integrated with SSO and scope is "group", i have tried below but not working as expected
p, role:team-qa, applicationsets, get, aam-qa-perf-us-east/, allow p, role:team-qa, applicationsets, get, , allow p, role:team-qa, clusters, get, uat-east1-sa-eks, allow g, teamnonprod, role:team-qa g, my-org:teamnonprod, role:team-qa -Thanks
Checklist:
argocd version
.Describe the bug
When we are applying RBAC using argocd-rbac-cm.yaml file it should apply on cluster namespaces and Applications under that namespace
To Reproduce
Expected behaviour
RBAC not working post applied, it should work as expected and application or resources under that namespaces should be accessible to the teams
Version
Logs