×
Community Blog ACK One GitOps Security Model

ACK One GitOps Security Model

This article explains the GitOps security model with images and instructions.

By Liusheng

Security Model

1

Scenario

2

Procedure

(1) Edit argocd/argocd-cm to add local users (manually editing cm is required currently):

data:
  accounts.oneadmin: apiKey,login
  accounts.oneadmin.enabled: "true"
  accounts.team01-admin: login
  accounts.team01-admin.enabled: "true"
  accounts.team01-user01: login
  accounts.team01-user01.enabled: "true"
  accounts.team01-user02: login
  accounts.team01-user02.enabled: "true"
  accounts.team02-admin: login
  accounts.team02-admin.enabled: "true"
  admin.enabled: "false"

(2) Edit argocd/argocd-rbac-cm to set RBAC Rules for local users (manually editing cm is required currently):

data:
  policy.csv: |2
    ...
    p, role:team01-admin, projects, get, team01, allow
    p, role:team01-admin, repositories, *, team01/*, allow
    p, role:team01-admin, applications, *, team01/*, allow
    p, role:team01-admin, repositories, get, *, allow
    p, role:team01-admin, clusters, get, *, allow
    p, role:team02-admin, projects, get, team02, allow
    p, role:team02-admin, repositories, *, team02/*, allow
    p, role:team02-admin, applications, *, team02/*, allow
    p, role:team02-admin, repositories, get, *, allow
    p, role:team02-admin, clusters, get, *, allow
    p, role:team01-user01, projects, get, team01, allow
    p, role:team01-user01, repositories, get, team01/*, allow
    p, role:team01-user01, repositories, get, *, allow
    p, role:team01-user01, clusters, get, *, allow
    p, role:team01-user01, applications, *, team01/production-app, allow
    p, role:team01-user02, projects, get, team01, allow
    p, role:team01-user02, repositories, get, team01/*, allow
    p, role:team01-user02, repositories, get, *, allow
    p, role:team01-user02, clusters, get, *, allow
    p, role:team01-user02, applications, *, team01/staging-app, allow
    ...
    g, team01-admin, role:team01-admin
    g, team02-admin, role:team02-admin
    g, team01-user01, role:team01-user01
    g, team01-user02, role:team01-user02

(3) View local users and set passwords for them (oneadmin operation):

export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward'
argocd account list
NAME           ENABLED  CAPABILITIES
admin          false    login
oneadmin       true     apiKey, login
team01-admin   true     login
team01-user01  true     login
team01-user02  true     login
team02-admin   true     login

Set the password:

argoargocd account update-password --account <username> --current-password <current password> --new-password <new password>

(4) Add global repository (oneadmin operation):

argocd repo add https://code.aliyun.com/bigteam/echo-server01.git
argocd repo add https://code.aliyun.com/bigteam/echo-server02.git
argocd repo list
TYPE  NAME  REPO                                               INSECURE  OCI    LFS    CREDS  STATUS      MESSAGE  PROJECT
git         https://code.aliyun.com/bigteam/echo-server01.git  false     false  false  false  Successful
git         https://code.aliyun.com/bigteam/echo-server02.git  false     false  false  false  Successful

(5) Create and set a project (oneadmin operation)”

Create project team01 and team02

Allow use of Git repository https://code.aliyun.com/bigteam/echo-server01.git and cluster https://47.111.181.57:6443 in project team01

Allow use of Git repository https://code.aliyun.com/bigteam/echo-server02.git and cluster https://47.97.216.237:6443 in project team01

argocd proj create team01
argocd proj add-source team01 https://code.aliyun.com/bigteam/echo-server01.git
argocd proj add-destination team01 https://47.111.181.57:6443 "*"
argocd proj create team02
argocd proj add-source team02 https://code.aliyun.com/bigteam/echo-server02.git
argocd proj add-destination team02 https://47.97.216.237:6443 "*"

PS: Oneadmin is required to have permission to update the cluster and needs to update the current oneadmin role policy.

(6) Create repositories in the project (team01-admin and team02-admin operate separately)

First, log in with the team01-admin user:

argocd login
Username: team01-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated

Create repositories in team01:

argocd repo add https://code.aliyun.com/team01/echo-server.git --project team01
Repository 'https://code.aliyun.com/team01/echo-server.git' added

Log in with the team02-admin user:

argocd login
Username: team02-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated

Create repositories in team02:

argocd repo add https://code.aliyun.com/team02/echo-server.git --project team02
Repository 'https://code.aliyun.com/team02/echo-server.git' added

Test and Validation
First, log in with the team01-admin user:

argocd login
Username: team01-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated

Project Administrator Permissions

Projects Resources

Test the operation permissions of the team01-admin on project resources:

argocd account can-i create projects "*"
no
argocd account can-i update projects "team01"
no
argocd account can-i delete projects "team01"
no
argocd account can-i get projects "team01"
yes
argocd account can-i get projects "team02"
no

The project administrator can only see project team01 and has no other operation permissions.

Repositories Resources

Test the operation permissions of the team01-admin on the repositories resource:

argocd account can-i create repositories "*"
no
argocd account can-i update repositories "*"
no
argocd account can-i delete repositories "*"
no
argocd account can-i get repositories "*"
yes
argocd account can-i create repositories "team01/*"
yes
argocd account can-i update repositories "team01/*"
yes
argocd account can-i delete repositories "team01/*"
yes
argocd account can-i get repositories "team01/*"
yes

The project administrator can only view global repositories and can add, delete, modify, and query repositories under team01.

Clusters Resource

Test the operation permissions of the team01-admin on the clusters resource:

argocd account can-i create clusters "*"
no
argocd account can-i update clusters "*"
no
argocd account can-i delete clusters "*"
no
argocd account can-i get clusters "*"
yes
argocd account can-i create clusters "team01/*"
no
argocd account can-i update clusters "team01/*"
no
argocd account can-i delete clusters "team01/*"
no

The project administrator can only view global clusters and has no other operation permissions.

Applications Resource

Test the operation permissions of the team01-admin on the application resource:

argocd account can-i create applications "*"
no
argocd account can-i update applications "*"
no
argocd account can-i delete applications "*"
no
argocd account can-i get applications "*"
no
argocd account can-i create applications "team01/*"
yes
argocd account can-i update applications "team01/*"
yes
argocd account can-i delete applications "team01/*"
yes
argocd account can-i get applications "team01/*"
yes

The project administrator only has the permission to add, delete, modify, and query under team01 but has no other operation permissions.

Application Create Test

View the resource permission information of the project administrator team01-admin on team01. The repositories that can be referenced are the global repo https://code.aliyun.com/bigteam/echo-server01.git and the in-project repo https://code.aliyun.com/team01/echo-server.git .

The clusters that can be referenced are https://47.111.181.57:6443

argocd proj get team01
Name:                        team01
Description:
Destinations:                https://47.111.181.57:6443,*
Repositories:                https://code.aliyun.com/bigteam/echo-server01.git
Scoped Repositories:         https://code.aliyun.com/team01/echo-server.git
Allowed Cluster Resources:   <none>
Scoped Clusters:             <none>
Denied Namespaced Resources: <none>
Signature keys:              <none>
Orphaned Resources:          disabled

Test creating an application with different repositories and clusters.
Attempt to create an application outside team01 failed (as expected).

argocd app create team01-admin-echo-server --repo https://code.aliyun.com/bigteam/echo-server02.gitargocd app create team01-admin-echo-s--repo erver https://47.97.216.237:6443
FATA[0001] rpc error: code = PermissionDenied desc = permission denied: applications, create, default/team01-admin-echo-server, sub: team01-admin, iat: 2022-10-20T03:20:47Z

Use unauthorized repositories or clusters:

argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server02.git --path  manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.97.216.237:6443
FATA[0002] rpc error: code = InvalidArgument desc = application spec for team01-admin-echo-server is invalid: InvalidSpecError: application repo https://code.aliyun.com/bigteam/echo-server02.git is not permitted in project 'team01';InvalidSpecError: application destination {https://xx.xx.xx.xx:6443 team01-admin-echo-server} is not permitted in project 'team01

Use the repositories and clusters allowed by team01:

argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server01.git --path  manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://xx.xx.xx.xx:6443
application 'team01-admin-echo-server' created

Application Administrator Permissions

The application administrator permissions are only limited to the operation permissions of the application resources in the project.

0 1 0
Share on

Alibaba Container Service

173 posts | 31 followers

You may also like

Comments