Back to ArgoCD, we have seen some important topics about GitOps and ArgoCD or related to that. Now let’s move to further and check other important feature which we should use to make the tool more standard for all the teams. In this post, lets see how to manage the ArgoCD RBAC configuration with some examples.
In this we are going to check how to mange the RBAC or handle the use using CLI and configMap.
What Is Role-Based Access Control?
Role-based access control is control over user groups and access to resources based on a defined role.
According to the National Institute of Science and Technology (NIST), “rudimentary forms of role-based access control were implemented in a variety of ad hoc forms on many systems beginning in the 1970s.” However, a formal model wasn’t proposed until 1992. Ferrailo and Kuhn published a paper that proposed an alternative to the traditional models of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). RBAC defined three basic requirements for access control:
- Role Assignment: subjects are assigned roles and only allowed transactions if allowed by the defined user-role.
- Role Authorization: subjects only use roles for which they are authorized.
- Transaction Authorization: subjects only execute transactions authorized by that subject’s role memberships.
A role is a collection of permissions. This allows organizations to grant appropriate permissions to employees or contractors, and ensure privileges and permissions keep to a role hierarchy.
Why Should Care About RBAC?
RBAC helps systems, businesses to protect their data and key processes through company-set rules and roles. Additionally, RBAC gives administrators increased visibility across various cloud tooling and IT systems. In addition, For DevOps teams, in particular, this is important as many teams exist and require varying amounts of control over specific workloads or groups of resources.
Prerequisites:
- Azure Kubernetes Service up and running, if you don’t have one, please follow the steps with terraform to create it. How to create Azure Kubernetes Service using Terraform – FoxuTech
- Kubectl installed in the VM or machine you are going to manage the AKS.
- Have a kubeconfig file (default location is ~/.kube/config).
- Argo CD setup. If not, available you can refer Setup ArgoCD on Azure Kubernetes Services – FoxuTech
- Install ArgoCD CLI also from Setup ArgoCD on Azure Kubernetes Services – FoxuTech.
find real-time example on:
Login to ArgoCD using CLI
Before we start, lets login to ArgoCD and check current user, via CLI and UI.
Via CLI:
# argocd login <your Argocd hostname/IP> --username adminvia UI: for this login to Argo CD in your browser and go to settings and Accounts. You could see the users.
Check the list of users on argoCD using,
# argocd account listCreate a new user from ConfigMap
As we seen, we don’t have much users in our system, now let’s extend to create new users from different teams, so we can distribute the tool with different teams and limited permissions. We are going to edit the ConfigMap directly in this example, if you templatized your Argo CD deployment, you can create a confirMap file.
# kubectl edit configmap argocd-cm -n argocdplease change the namespace “agrocd” with your own namespace name.
Add the data as following to the ConfigMap:
data:
accounts.<your-username>: apiKey, loginThis will add a new username and allow them to process an API key as well as login via the Command Line Interface and Graphical User Interface.
Apply the changes by running:
# kubectl apply -f argocd-cm.ymlVerify the Users
Run the following to verify the new users exist automatically:
# argocd account listUpdate the Users Password
Well.!! We have created the user, now we need a password to be set to login and access it. To update the password,
# argocd account update-password --account <your-username> --new-password <your-password>This will prompt for the current logged in user password, in this admin user.
Update the Role Base Access Control (RBAC) for Local User
Hmm… fine, so far, we have done great. As we know by default, in Argo CD user can log in with “read-only” access except Admin user. But main use-case will be different, like more users should have different access by using different roles. Example, some team expects to restart/sync the application. As admin cannot manage more than 100 applications at same time or quickly. This may delay the purpose of the real usage of Argo CD. For that, RBAC config map will need to be updated. Run the following to pull the config map:
# kubectl edit configmap argocd-rbac-cm -n argocdAdd the following after the API version line,
data:
policy.csv: |
p, role:devops, applications, *, *, allow
p, role:developers, applications, *, *, allow
p, role:devops, clusters, get, *, allow
p, role:devops, repositories, get, *, allow
p, role:devops, repositories, create, *, allow
p, role:devops, repositories, update, *, allow
p, role:devops, repositories, delete, *, allow
p, role:devops, gpgkeys, get, *, allow
g, motoskia, role:devops
g, foxutech, role:staging
g, dea, role:adminThe below is to make sure that the user cannot do anything but log in to the UI by default. Read Only is now disabled.
policy.default: role:''The next part is setting up all the access within ArgoCD for the role devops:
p, role:devops, applications, *, *, allow
p, role:developers, applications, *, *, allow
p, role:devops, clusters, get, *, allow
p, role:devops, repositories, get, *, allow
p, role:devops, repositories, create, *, allow
p, role:devops, repositories, update, *, allow
p, role:devops, repositories, delete, *, allow
p, role:devops, gpgkeys, get, *, allowNext, the new user is assigned to the role:
g, <your-user>, role:devopsDisabled Admin Account
Most of the organization not prefer use common admin user, for that its mandatory to disable the default admin user. To achieve this plan your RBAC well structured, so you could create the custom admin users. With this we can now disable the admin account. Run the following to get the config map:
# kubectl edit configmap argocd-cm -n argocdThen add the following to the config map:
data:
admin.enabled: "false"In this post we have see how to create a new user and apply custom policy for the user. Also, we have seen how to disable the default admin user. Hope this is useful, Please share with your teams.
