By Liusheng
(1) Edit argocd/argocd-cm to add local users (manually editing cm is required currently):
data:
accounts.oneadmin: apiKey,login
accounts.oneadmin.enabled: "true"
accounts.team01-admin: login
accounts.team01-admin.enabled: "true"
accounts.team01-user01: login
accounts.team01-user01.enabled: "true"
accounts.team01-user02: login
accounts.team01-user02.enabled: "true"
accounts.team02-admin: login
accounts.team02-admin.enabled: "true"
admin.enabled: "false"
(2) Edit argocd/argocd-rbac-cm to set RBAC Rules for local users (manually editing cm is required currently):
data:
policy.csv: |2
...
p, role:team01-admin, projects, get, team01, allow
p, role:team01-admin, repositories, *, team01/*, allow
p, role:team01-admin, applications, *, team01/*, allow
p, role:team01-admin, repositories, get, *, allow
p, role:team01-admin, clusters, get, *, allow
p, role:team02-admin, projects, get, team02, allow
p, role:team02-admin, repositories, *, team02/*, allow
p, role:team02-admin, applications, *, team02/*, allow
p, role:team02-admin, repositories, get, *, allow
p, role:team02-admin, clusters, get, *, allow
p, role:team01-user01, projects, get, team01, allow
p, role:team01-user01, repositories, get, team01/*, allow
p, role:team01-user01, repositories, get, *, allow
p, role:team01-user01, clusters, get, *, allow
p, role:team01-user01, applications, *, team01/production-app, allow
p, role:team01-user02, projects, get, team01, allow
p, role:team01-user02, repositories, get, team01/*, allow
p, role:team01-user02, repositories, get, *, allow
p, role:team01-user02, clusters, get, *, allow
p, role:team01-user02, applications, *, team01/staging-app, allow
...
g, team01-admin, role:team01-admin
g, team02-admin, role:team02-admin
g, team01-user01, role:team01-user01
g, team01-user02, role:team01-user02
(3) View local users and set passwords for them (oneadmin operation):
export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward'
argocd account list
NAME ENABLED CAPABILITIES
admin false login
oneadmin true apiKey, login
team01-admin true login
team01-user01 true login
team01-user02 true login
team02-admin true login
Set the password:
argoargocd account update-password --account <username> --current-password <current password> --new-password <new password>
(4) Add global repository (oneadmin operation):
argocd repo add https://code.aliyun.com/bigteam/echo-server01.git
argocd repo add https://code.aliyun.com/bigteam/echo-server02.git
argocd repo list
TYPE NAME REPO INSECURE OCI LFS CREDS STATUS MESSAGE PROJECT
git https://code.aliyun.com/bigteam/echo-server01.git false false false false Successful
git https://code.aliyun.com/bigteam/echo-server02.git false false false false Successful
(5) Create and set a project (oneadmin operation)”
Create project team01 and team02
Allow use of Git repository https://code.aliyun.com/bigteam/echo-server01.git and cluster https://47.111.181.57:6443
in project team01
Allow use of Git repository https://code.aliyun.com/bigteam/echo-server02.git and cluster https://47.97.216.237:6443
in project team01
argocd proj create team01
argocd proj add-source team01 https://code.aliyun.com/bigteam/echo-server01.git
argocd proj add-destination team01 https://47.111.181.57:6443 "*"
argocd proj create team02
argocd proj add-source team02 https://code.aliyun.com/bigteam/echo-server02.git
argocd proj add-destination team02 https://47.97.216.237:6443 "*"
PS: Oneadmin is required to have permission to update the cluster and needs to update the current oneadmin role policy.
(6) Create repositories in the project (team01-admin and team02-admin operate separately)
First, log in with the team01-admin user:
argocd login
Username: team01-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated
Create repositories in team01:
argocd repo add https://code.aliyun.com/team01/echo-server.git --project team01
Repository 'https://code.aliyun.com/team01/echo-server.git' added
Log in with the team02-admin user:
argocd login
Username: team02-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated
Create repositories in team02:
argocd repo add https://code.aliyun.com/team02/echo-server.git --project team02
Repository 'https://code.aliyun.com/team02/echo-server.git' added
Test and Validation
First, log in with the team01-admin user:
argocd login
Username: team01-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated
Test the operation permissions of the team01-admin on project resources:
argocd account can-i create projects "*"
no
argocd account can-i update projects "team01"
no
argocd account can-i delete projects "team01"
no
argocd account can-i get projects "team01"
yes
argocd account can-i get projects "team02"
no
The project administrator can only see project team01 and has no other operation permissions.
Test the operation permissions of the team01-admin on the repositories resource:
argocd account can-i create repositories "*"
no
argocd account can-i update repositories "*"
no
argocd account can-i delete repositories "*"
no
argocd account can-i get repositories "*"
yes
argocd account can-i create repositories "team01/*"
yes
argocd account can-i update repositories "team01/*"
yes
argocd account can-i delete repositories "team01/*"
yes
argocd account can-i get repositories "team01/*"
yes
The project administrator can only view global repositories and can add, delete, modify, and query repositories under team01.
Test the operation permissions of the team01-admin on the clusters resource:
argocd account can-i create clusters "*"
no
argocd account can-i update clusters "*"
no
argocd account can-i delete clusters "*"
no
argocd account can-i get clusters "*"
yes
argocd account can-i create clusters "team01/*"
no
argocd account can-i update clusters "team01/*"
no
argocd account can-i delete clusters "team01/*"
no
The project administrator can only view global clusters and has no other operation permissions.
Test the operation permissions of the team01-admin on the application resource:
argocd account can-i create applications "*"
no
argocd account can-i update applications "*"
no
argocd account can-i delete applications "*"
no
argocd account can-i get applications "*"
no
argocd account can-i create applications "team01/*"
yes
argocd account can-i update applications "team01/*"
yes
argocd account can-i delete applications "team01/*"
yes
argocd account can-i get applications "team01/*"
yes
The project administrator only has the permission to add, delete, modify, and query under team01 but has no other operation permissions.
View the resource permission information of the project administrator team01-admin on team01. The repositories that can be referenced are the global repo https://code.aliyun.com/bigteam/echo-server01.git and the in-project repo https://code.aliyun.com/team01/echo-server.git .
The clusters that can be referenced are https://47.111.181.57:6443
argocd proj get team01
Name: team01
Description:
Destinations: https://47.111.181.57:6443,*
Repositories: https://code.aliyun.com/bigteam/echo-server01.git
Scoped Repositories: https://code.aliyun.com/team01/echo-server.git
Allowed Cluster Resources: <none>
Scoped Clusters: <none>
Denied Namespaced Resources: <none>
Signature keys: <none>
Orphaned Resources: disabled
Test creating an application with different repositories and clusters.
Attempt to create an application outside team01 failed (as expected).
argocd app create team01-admin-echo-server --repo https://code.aliyun.com/bigteam/echo-server02.gitargocd app create team01-admin-echo-s--repo erver https://47.97.216.237:6443
FATA[0001] rpc error: code = PermissionDenied desc = permission denied: applications, create, default/team01-admin-echo-server, sub: team01-admin, iat: 2022-10-20T03:20:47Z
Use unauthorized repositories or clusters:
argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server02.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.97.216.237:6443
FATA[0002] rpc error: code = InvalidArgument desc = application spec for team01-admin-echo-server is invalid: InvalidSpecError: application repo https://code.aliyun.com/bigteam/echo-server02.git is not permitted in project 'team01';InvalidSpecError: application destination {https://xx.xx.xx.xx:6443 team01-admin-echo-server} is not permitted in project 'team01
Use the repositories and clusters allowed by team01:
argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server01.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://xx.xx.xx.xx:6443
application 'team01-admin-echo-server' created
The application administrator permissions are only limited to the operation permissions of the application resources in the project.
RBAC Permission Settings for ACK Registered Cluster Agent Components
173 posts | 31 followers
FollowAlibaba Cloud Native - May 23, 2023
Alibaba Container Service - May 16, 2024
Alibaba Container Service - December 5, 2024
Alibaba Container Service - April 12, 2024
Alibaba Container Service - August 1, 2023
Alibaba Container Service - July 16, 2024
173 posts | 31 followers
FollowAlibaba Cloud is committed to safeguarding the cloud security for every business.
Learn MoreSimple, secure, and intelligent services.
Learn MoreThis solution helps you easily build a robust data security framework to safeguard your data assets throughout the data security lifecycle with ensured confidentiality, integrity, and availability of your data.
Learn MoreIndustry-standard hardware security modules (HSMs) deployed on Alibaba Cloud.
Learn MoreMore Posts by Alibaba Container Service