FoxuTech

How to Manage ArgoCD RBAC configuration

How to Manage Argo CD RBAC configuration

Image Credit: https://workos.com/blog/rbac-vs-abac

Back to ArgoCD, we have seen some important topics about GitOps and ArgoCD or related to that. Now let’s move to further and check other important feature which we should use to make the tool more standard for all the teams. In this post, lets see how to manage the ArgoCD RBAC configuration with some examples.

In this we are going to check how to mange the RBAC or handle the use using CLI and configMap.

What Is Role-Based Access Control?

Role-based access control is control over user groups and access to resources based on a defined role. 

According to the National Institute of Science and Technology (NIST), “rudimentary forms of role-based access control were implemented in a variety of ad hoc forms on many systems beginning in the 1970s.” However, a formal model wasn’t proposed until 1992. Ferrailo and Kuhn published a paper that proposed an alternative to the traditional models of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). RBAC defined three basic requirements for access control:

  1. Role Assignment: subjects are assigned roles and only allowed transactions if allowed by the defined user-role.
  2. Role Authorization: subjects only use roles for which they are authorized.  
  3. Transaction Authorization: subjects only execute transactions authorized by that subject’s role memberships.

A role is a collection of permissions. This allows organizations to grant appropriate permissions to employees or contractors, and ensure privileges and permissions keep to a role hierarchy.

Why Should Care About RBAC?

RBAC helps systems, businesses to protect their data and key processes through company-set rules and roles. Additionally, RBAC gives administrators increased visibility across various cloud tooling and IT systems. In addition, For DevOps teams, in particular, this is important as many teams exist and require varying amounts of control over specific workloads or groups of resources. 

Prerequisites:

find real-time example on:

Login to ArgoCD using CLI

Before we start, lets login to ArgoCD and check current user, via CLI and UI.

Via CLI:

# argocd login <your Argocd hostname/IP> --username admin

via UI: for this login to Argo CD in your browser and go to settings and Accounts. You could see the users.

Check the list of users on argoCD using,

# argocd account list

Create a new user from ConfigMap

As we seen, we don’t have much users in our system, now let’s extend to create new users from different teams, so we can distribute the tool with different teams and limited permissions. We are going to edit the ConfigMap directly in this example, if you templatized your Argo CD deployment, you can create a confirMap file.

# kubectl edit configmap argocd-cm -n argocd

please change the namespace “agrocd” with your own namespace name.

Add the data as following to the ConfigMap:

data:
  accounts.<your-username>: apiKey, login

This will add a new username and allow them to process an API key as well as login via the Command Line Interface and Graphical User Interface.

Apply the changes by running:

# kubectl apply -f argocd-cm.yml

Verify the Users

Run the following to verify the new users exist automatically:

# argocd account list

Update the Users Password

Well.!! We have created the user, now we need a password to be set to login and access it. To update the password,

# argocd account update-password --account <your-username> --new-password <your-password>

This will prompt for the current logged in user password, in this admin user.

Update the Role Base Access Control (RBAC) for Local User

Hmm… fine, so far, we have done great. As we know by default, in Argo CD user can log in with “read-only” access except Admin user. But main use-case will be different, like more users should have different access by using different roles. Example, some team expects to restart/sync the application. As admin cannot manage more than 100 applications at same time or quickly. This may delay the purpose of the real usage of Argo CD. For that, RBAC config map will need to be updated. Run the following to pull the config map:

# kubectl edit configmap argocd-rbac-cm -n argocd

Add the following after the API version line,

data:
  policy.csv: |
    p, role:devops, applications, *, *, allow
    p, role:developers, applications, *, *, allow
    p, role:devops, clusters, get, *, allow
    p, role:devops, repositories, get, *, allow
    p, role:devops, repositories, create, *, allow
    p, role:devops, repositories, update, *, allow
    p, role:devops, repositories, delete, *, allow
    p, role:devops, gpgkeys, get, *, allow
    g, motoskia, role:devops
    g, foxutech, role:staging
    g, dea, role:admin

The below is to make sure that the user cannot do anything but log in to the UI by default. Read Only is now disabled.

policy.default: role:''

The next part is setting up all the access within ArgoCD for the role devops:

p, role:devops, applications, *, *, allow
p, role:developers, applications, *, *, allow
p, role:devops, clusters, get, *, allow
p, role:devops, repositories, get, *, allow
p, role:devops, repositories, create, *, allow
p, role:devops, repositories, update, *, allow
p, role:devops, repositories, delete, *, allow
p, role:devops, gpgkeys, get, *, allow

Next, the new user is assigned to the role:

g, <your-user>, role:devops

Disabled Admin Account

Most of the organization not prefer use common admin user, for that its mandatory to disable the default admin user. To achieve this plan your RBAC well structured, so you could create the custom admin users. With this we can now disable the admin account. Run the following to get the config map:

# kubectl edit configmap argocd-cm -n argocd

Then add the following to the config map:

data:
  admin.enabled: "false"

In this post we have see how to create a new user and apply custom policy for the user. Also, we have seen how to disable the default admin user. Hope this is useful, Please share with your teams.

Exit mobile version