How to create users and grant permissions by using ACK One GitOps - Container Service for Kubernetes

This topic describes the types of users that are supported by Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps and how to grant permissions to users.

User types

ACK One GitOps supports multi-user collaboration. The administrator can create users, delete users, and grant Argo CD Role-Based Access Control (RBAC) permissions and Argo CD application permissions to users. ACK One GitOps supports the following types of users:

Local User
Local users. The administrator can create local users and generate authentication tokens that are automatically used by the system to call the Argo CD API to create Argo CD applications and projects. If your team has a limited number of members, you can create local users. For more information about how to grant permissions to local users, see Grant permissions to a local user.
RAM users or RAM roles within an Alibaba Cloud account
RAM users or RAM roles. We recommend that you use RAM users to log on to the Argo CD UI or Argo CD CLI. By default, ACK One GitOps supports single sign-on (SSO) when you use RAM users or RAM roles to log on to the Argo CD UI or Argo CD CLI. For more information about how to grant permissions to RAM users, see Grant permissions to RAM users or RAM roles in an Alibaba Cloud account.

Create a local user

Prerequisites

The kubeconfig file of the Fleet instance is obtained in the Distributed Cloud Container Platform for Kubernetes (ACK One) console and a kubectl client is connected to the Fleet instance.
GitOps is enabled for your ACK One Fleet instance. For more information, see Enable GitOps for the Fleet instance.
The password of the Argo CD administrator is obtained and used to log on to the Argo CD CLI. For more information, see Access Argo CD by using the Argo CD CLI.

Procedure

Use the administrator account to create a local user on the Fleet instance. To create a local user, perform the following steps:

Run the following command to modify the argocd-cm ConfigMap of Argo CD:
```
kubectl edit cm argocd-cm -n argocd
```

Add a local user named localuser1 to the argocd-cm ConfigMap.

data:
  accounts.localuser1: login,apiKey    # Allow the local user to log on to the Argo CD UI and the Argo CD CLI, and generate an apiKey token. 
  accounts.localuser1.enabled: "true"  # Create local user localuser1.

Run the following command to query the local user:

argocd account list

Expected output:

NAME        ENABLED  CAPABILITIES
admin       true     login
localuser1  true     login,apiKey   # The local user localuser1.

Run the following command to set a password and generate a token:

# Set a password. 
argocd account update-password \
  --account localuser1 \
  --current-password <admin password> \
  --new-password <localuser1-password>

# Generate a token for localuser1. 
argocd account generate-token --account localuser1
eyJhb......

Configure Argo CD RBAC permissions

Argo CD allows you to configure Role-Based Access Control (RBAC) to limit SSO groups or local users from accessing Argo CD resources. To do this, define an RBAC role and map an SSO group or local user to the role.

Role introduction

To grant permissions to an SSO group or local user, you must first create a role and map the SSO group or local user to the role.

You can create custom roles or use the following predefined roles in Argo CD:

role:readonly: This role has read permissions on all Argo CD resources. (get)
role:admin: This role has full permissions on all Argo CD resources.

To define a permission policy, add one of the following settings to the .data.policy.csv field in the argocd-rbac-cm ConfigMap:

If the permission policy does not belong to any project: p, <role/user/group>, <resource>, <action>, <object>
If the permission policy belongs to a project: p, <role/user/group>, <resource>, <action>, <appproject>/<object>

Argo CD supports the following resources: clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, and extensions.

Argo CD supports the following actions: get, create, update, delete, sync, override, and action/<api-group>/<Kind>/<action-name>.

The sync, override, and action/<api-group>/<Kind>/<action-name> actions take effect only on the applications resource.

Grant permissions to a local user

Run the following command to modify the argocd-rbac-cm ConfigMap of Argo CD:
```
kubectl edit cm argocd-rbac-cm -n argocd
```
In the argocd-rbac-cm ConfigMap, grant permissions to a local user based on the following content:
Important
Do not modify other configurations in the ConfigMap.
```
data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow
    
    g, "14***01", role:admin          # Keep the current setting. 
    g, localuser1, role:admin         # Map localuser1 to role admin. 
##  g, localuser1, role:project-admin # Map localuser1 to role project-admin. 
  scopes: '[uid]'                     # Keep the current setting.
```
The sample ConfigMap allows you to grant permissions in the following scenarios:
- Map localuser1 to the predefined role admin. This way, localuser1 has full permissions on all Argo CD resources.
- Map localuser1 to the custom role project-admin. This way, project-admin has full permissions on projects and applications. This setting is annotated in the sample ConfigMap.

Grant permissions to RAM users or RAM roles within an Alibaba Cloud account

By default, ACK One GitOps supports SSO when you use RAM users to log on to the Argo CD UI or Argo CD CLI. After you use a RAM user to log on to the ACK One console, you can log on to the Argo CD UI or Argo CD CLI by using SSO without the need to enter the username and password again.

If the RAM user is the administrator of the ACK One Fleet instance, ACK One GitOps automatically grants the RAM user administrator permissions on the Argo CD UI or Argo CD CLI.
If the RAM user is a regular user, the administrator of the Fleet instance must grant permissions to the RAM user. The following permissions are included:
- Grant the Argo CD RBAC permissions to the RAM user or RAM role in argocd-rbac-cm.
- Manage the permissions of the RAM user or RAM role on clusters, repositories, and applications by using Argo CD projects.

Grant the Argo CD RBAC permissions to RAM users or RAM roles

The administrator of the ACK One Fleet instance can perform the following steps to configure permissions:

Run the following command to modify the argocd-rbac-cm ConfigMap of Argo CD:
```
kubectl edit cm argocd-rbac-cm -n argocd
```

Grant permissions to the RAM user in argocd-rbac-cm based on the following example. The example shows that RAM User "27***02" is granted Argo CD admin permissions, and the comment section indicates that RAM User "27***02" is granted project-admin permissions.

data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow
    
    g, "14***01", role:admin          # Keep the current setting. 
    g, "27***02", role:admin          # Set the role of RAM User "27***02" to admin. 
##  g, "27***02", role:project-admin  # Map RAM User "27***02" to the project-admin role. 
  scopes: '[uid]'                     # Keep the current setting.

Grant the Argo CD application permissions to RAM users or RAM roles

Each Argo CD application belongs to a project. Argo CD projects can be used to grant different application permissions to different RAM users or RAM roles.

When multiple teams use Argo CD, you can add applications to different Argo CD projects. Argo CD projects also provide the following features:

Git repository limit: controls which Git repositories can be used to deploy applications.
Cluster and namespaces limit: defines the clusters and namespaces where applications can be deployed and ensures that the deployment complies with the resource allocation and security policies of the team.
Object type limit: limits the types of Kubernetes resources that can be deployed, such as RBAC, CRDs, DaemonSets, and NetworkPolicies, to avoid using unnecessary or high-risk resources.
Application-level RBAC: grants different application permissions to different RAM users or RAM roles and bind them to OIDC groups and JWT tokens by defining project roles. This allows you to manage permissions in a fine-grained manner.

The ACK One administrator can perform the following operations to grant Argo CD application permissions to RAM users or RAM roles:

Log on to the RAM console by using your Alibaba Cloud account or an administrator account. In the left-side navigation pane, click Users or Roles. On the details page of the user or role that you want to manage, copy the UID or role ID.
Log on to the ACK One console. In the left-side navigation pane, choose Fleet > GitOps. Click GitOps Console to log on to the Argo CD console.
In the left-side navigation pane of the Argo CD console, click Settings > Projects. Click + NEW PROJECT to create a project, or select and go to the details page of an existing project. The permission configuration for the previously described repositories, clusters, and cluster resources is omitted.
Click + ADD ROLE, specify the following information, and then click CREATE to create a project role.
- GENERAL: the basic information of the role.
- POLICY RULES: the application permission information.
- GROUPS: Enter the UID or role ID in Step 1 below the line and click ADD GROUP on the right.

In the following example, a role named roletest is created. This role grants RAM User 27***02 the get (read-only) permissions on all applications in the test project. RAM User 27***02 with the granted permissions can click LOG IN VIA ALIYUN SSO in the ACK One console to access the Argo CD UI and verify if the permissions are as expected.