search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.58k stars 5.35k forks source link

ARGOCD RBAC on Resource cluster Namespace for teams #18468

Open ravindraprasad85 opened 4 months ago

ravindraprasad85 commented 4 months ago

I do have my (PROD) ArgoCD cluster deployed in Kubernetes cluster using helm, ArgoCD Version 2.9.3 . It running in HA mode with redis HA . Its controlling more than 10 clusters (Prod/Dev/UAT) currently & 10 Repos. I do have more than 100 Apps running in that cluster. Now i needs to control the different teams in Dev cluster and their namespace wise. They should be able to perform anything in their namespace only where the applicationsets/applications running. Client application installed in Argocd cluster Namespace: "ccid-argocd"

Dev Cluster --> Team: A & namespace: A Dev Cluster --> Team: B & namespace: B

I have tried to write the RBAC policies by following https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/

currently ARGOCD is integrated with SSO and scope is "group", i have tried below but not working as expected

p, role:team-qa, applicationsets, get, aam-qa-perf-us-east/, allow p, role:team-qa, applicationsets, get, , allow p, role:team-qa, clusters, get, uat-east1-sa-eks, allow g, teamnonprod, role:team-qa g, my-org:teamnonprod, role:team-qa -Thanks

Checklist:

Describe the bug

When we are applying RBAC using argocd-rbac-cm.yaml file it should apply on cluster namespaces and Applications under that namespace

To Reproduce

Expected behaviour

RBAC not working post applied, it should work as expected and application or resources under that namespaces should be accessible to the teams

Version

V2.9.3

Logs

No failure logs,
agaudreault commented 4 months ago

I made changes to the rbac documentation to clarify it. Maybe https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#application-specific-policy will help you.

For namespace restriction within an Application, you should use https://argo-cd.readthedocs.io/en/latest/user-guide/projects/#projects.

christianh814 commented 4 months ago

Something like this is probably what you want (needs testing)

For example, if I want my group Developers to deploy/manage anything in the mars namespace in every cluster I would do something like this

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: mars
spec:
  clusterResourceWhitelist:
  - group: '*' 
    kind: '*' 
  destinations:
  - namespace: 'mars'
    server: '*' 
  sourceRepos:
  - '*' 
  roles:
  - description: Manage anything in the mars namespace
    name: mars-developer
    policies:
    - p, proj:mars:mars-developer, *, *, mars/*, allow
    groups:
    - Developers