- vừa được xem lúc

Kubernetes Practice (English) - User management and RBAC Configuration on ArgoCD

0 0 34

Người đăng: Quân Huỳnh

Theo Viblo Asia

In this post, we will learn how to create new users and manage RBAC Configuration on ArgoCD.

By default, ArgoCD provides you with an admin user that has full access to the system. There is no problem if you work alone, but when your team scale, the boss will ask you: "Is there a way for developers to check logs on ArgoCD without asking you for help?". You can't provide a user admin to developers, so we have to create a new user account and assign it the appropriate permissions.

Create new account

In ArgoCD creating a new account is quite simple, we just need to manipulate the ConfigMap named argocd-cm in the namespace where we install ArgoCD, for example, if we install it in the namespace argocd, the default configuration is argocd-cm as follows:

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-cm namespace: argocd labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd
data: url: https://argocd.example.com

You copy the default configuration and create a file named argocd-cm.yaml then paste the above configuration snippet. Next, we update argocd-cm to create a user with the username hanli.

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-cm namespace: argocd labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd
data: url: https://argocd.example.com accounts.hanli: login

In the data property of the argocd-cm ConfigMap, we declare the user we want to create, the format is as follows:

accounts.<username>: <capabilities>

Each user might have two capabilities:

  • apiKey - allows generating authentication tokens for API access
  • login - allows to login using UI

In the above configuration, we named the user hanli and it only can log in. Next, we update the ConfigMap.

kubectl apply -f argocd-cm.yaml

ArgoCD will create a new user named hanli. Next, we need to set the password for the user hanli so that it can log in to ArgoCD, we run the following command.

argocd account update-password --account hanli --new-password hanli --current-password <admin-password> --grpc-web

The value of the current-password is the admin's password. Now, the user hanli can log in to ArgoCD, open the ArgoCD UI and log in.

With the username and password as hanli that we have configured above. By default, when we create a new user, it only has read-only permissions, and can not perform any other actions. For example, the user hanli needs to restart Deployment so that all Pods of that Deployment are updated to the new ConfigMap, but it can not.

Next, we will learn how to assign permissions to users on ArgoCD.

RBAC Configuration

To set additional RBAC roles for users, we will manipulate the ConfigMap named argocd-rbac-cm, its default configuration is as follows.

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-rbac-cm namespace: argocd
data: policy.default: role:readonly

As we can see it will have a field of policy.default: role:readonly, this field will grant read-only permission to the user if that user is not granted permission anywhere. Copy and paste it into a file named argocd-rbac-cm.yaml, to grant permission to a user, we will add a field named policy.csv as follows:

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-rbac-cm namespace: argocd
data: policy.default: role:readonly policy.csv: |

We will define permissions in the field policy.csv with the format.

p, <role/user/group>, <resource>, <action>, <object>

Or

p, <role/user/group>, <resource>, <action>, <appproject>/<object>

The <role/user/group> is the name of the role or user or group.

Resources: clusters, projects, applications, repositories, certificates, accounts, gpgkeys, logs, exec

Actions: get, create, update, delete, sync, override, action/<group/kind/action-name>

We want the user to have permission to restart Deployment, then we will format it as follows.

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-rbac-cm namespace: argocd
data: policy.default: role:readonly policy.csv: | p, hanli, applications, action/apps/Deployment/restart, default/*, allow

The resource we will leave is applications, and with the action in the format action/<group/kind/action-name>, then we will have the action to restart the Deployment as action/apps/Deployment/restart.

Next, the value <object> we leave is default/*, by default when we install ArgoCD, it will have a project named default, and if we do not create more projects, all applications that we are running will be in this default project. And the value default/* means that we want this permission to be applied to the entire application in the default project.

If you want to limit it to one application, declare it as default/<application-name>.

However, if we have many users, we need to copy all the above permissions, now our ConfigMap will be quite verbose, for example:

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-rbac-cm namespace: argocd
data: policy.default: role:readonly policy.csv: | p, hanli, applications, action/apps/Deployment/restart, default/*, allow p, natsu, applications, action/apps/Deployment/restart, default/*, allow p, lucy, applications, action/apps/Deployment/restart, default/*, allow

We can shorten it by creating a common role and assigning it to different users, for example like this:

apiVersion: v1
kind: ConfigMap
metadata: name: argocd-rbac-cm namespace: argocd
data: policy.default: role:readonly policy.csv: | p, role:deployment-restart, applications, action/apps/Deployment/restart, default/*, allow g, hanli, role:deployment-restart g, natsu, role:deployment-restart g, lucy, role:deployment-restart

Update the argocd-rbac-cmConfigMap, our user will have the corresponding permissions.

kubectl apply -f argocd-rbac-cm.yaml

Done 😁. Please like the DevOps VN page to receive notifications of the earliest posts.

Conclusion

So we have learned how to create users and manage RBAC Configuration on ArgoCD, you can read more on here RBAC Configuration. If you have any questions or need more clarification, you can ask in the comment section below.

Bình luận

Bài viết tương tự

- vừa được xem lúc

Đề thi interview DevOps ở Châu Âu

Well. Chào mọi người, mình là Rice - một DevOps Engineers ở đâu đó tại Châu Âu.

0 0 88

- vừa được xem lúc

In calculus, love also means zero.

Mình nhớ hồi năm 2 đại học, thầy giáo môn calculus, trong một giây phút ngẫu hứng, đã đưa ra cái definition này. Lúc đấy mình cũng không nghĩ gì nhiều.

0 0 65

- vừa được xem lúc

Chuyện thay đổi

Thay đổi là một thứ gì đó luôn luôn đáng sợ. Cách đây vài tháng mình có duyên đi làm cho một banking solution tên là X.

0 0 47

- vừa được xem lúc

Pet vs Cattle - Thú cưng và gia súc

Khái niệm. Pets vs Cattle là một khái niệm cơ bản của DevOps. Bài viết này sẽ nói về sự phát triển của các mô hình dịch vụ từ cốt lõi Pets and Cattle. 1.

0 0 34

- vừa được xem lúc

Git workflow được Google và Facebook sử dụng có gì hay ho

Với developer thì Git hẳn là công cụ rất quen thuộc và không thể thiếu rồi. Thế nhưng có mấy ai thực sự hiểu được Git.

0 0 85

- vừa được xem lúc

Kubernetes - Học cách sử dụng Kubernetes Namespace cơ bản

Namespace trong Kubernetes là gì. Tại sao nên sử dụng namespace.

0 0 113