Kubernetes Operator for Argo CD RBAC Management.
The Argo CD RBAC Operator provides a CRD based API for the RBAC management of Argo CD. It provides a structured and easy to use way to define RBAC policies. The Operator uses the CRs as a single source of truth for RBAC management and converts them into a policy string that is patched into the Argo CD RBAC ConfigMap or AppProjects.
Clone the Argo CD RBAC Operator repository.
git clone https://github.com/argoproj-labs/argocd-rbac-operator.git
cd argocd-rbac-operatorBy default, the operator is installed into the argocd-rbac-operator-system namespace. To modify this, update the value of the namespace specified in the config/default/kustomization.yaml file.
Deploy the operator. This will create all the necessary resources, including the namespace. For running the task command you need to install task and go-lang package on your system.
task deployThe operator pod should start and enter a Running state after a few seconds.
kubectl get pods -n argocd-rbac-operator-systemFirst you have to add the repo:
helm repo add argocd-rbac-operator https://argoproj-labs.github.io/argocd-rbac-operator/After the repo has been added, you can install the Helm chart of the operator:
helm install argocd-rbac-operator argocd-rbac-operator/argocd-rbac-operatorIf you want to change the namespace of the Argo CD instance, image version, or other values, you have to define a values.yaml file and run following command:
helm install argocd-rbac-operator argocd-rbac-operator/argocd-rbac-operator -f values.yamlThe following example shows a manifest to create a new ArgoCDRole test-role:
apiVersion: rbac-operator.argoproj-labs.io/v1alpha1
kind: ArgoCDRole
metadata:
labels:
app.kubernetes.io/name: argocd-rbac-operator
app.kubernetes.io/managed-by: kustomize
name: test-role
namespace: test-ns
spec:
rules:
- resource: "applications"
verbs: ["get", "create", "update", "delete"]
objects: ["*/*"]And a ArgoCDRoleBinding test-role-binding to bind the specified users and a role to the new ArgoCDRole:
apiVersion: rbac-operator.argoproj-labs.io/v1alpha1
kind: ArgoCDRoleBinding
metadata:
labels:
app.kubernetes.io/name: argocd-rbac-operator
app.kubernetes.io/managed-by: kustomize
name: test-role-binding
namespace: test-ns
spec:
subjects:
- kind: "sso"
name: "gosha"
- kind: "local"
name: "localUser"
- kind: "role"
name: "orgadmin"
argocdRoleRef:
name: "test-role"Make sure that the argocd Namespace exists, so that the ConfigMap can be created properly.
Create a new ArgoCDRole and ArgoCDRoleBinding using the provided example. (Make sure that both CRs are created in the same Namespace)
kubectl create -f test-role.yaml
kubectl create -f test-role-binding.yamlThe following ConfigMap will be created after the ArgoCDRole and ArgoCDRoleBinding has been reconciled.
apiVersion: v1
data:
policy.csv: ""
policy.default: role:readonly
policy.test-ns.test-role.csv: |
p, role:test-role, applications, get, */*, allow
p, role:test-role, applications, create, */*, allow
p, role:test-role, applications, update, */*, allow
p, role:test-role, applications, delete, */*, allow
g, gosha, role:test-role
p, localUser, applications, get, */*, allow
p, localUser, applications, create, */*, allow
p, localUser, applications, update, */*, allow
p, localUser, applications, delete, */*, allow
g, role:orgadmin, role:test-role
scopes: '[groups]'
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocdTo delete a Role you can use kubectl
kubectl delete argocdrole.rbac-operator.argoproj-labs.io/test-role
kubectl delete argocdrolebinding.rbac-operator.argoproj-labs.io/test-role-bindingAfter the Resource is deleted, the policy string will be also deleted from the RBAC-CM.
To change the policy.csv you have to make changes in the internal/controller/common/defaults.go file.
As for now only single Argo CD deployment type is supported. The default Argo CD namespace is defined as argocd, to change that you have to provide a flag --argocd-rbac-cm-namespace="your-argocd-namespace".
The following example shows a manifest to create a new ArgoCDProjectRole test-project-role:
apiVersion: rbac-operator.argoproj-labs.io/v1alpha1
kind: ArgoCDProjectRole
metadata:
name: test-project-role
namespace: test-ns
spec:
description: "Test role for ArgoCD's AppProjects"
rules:
- resource: clusters
verbs:
- get
- watch
objects:
- "*"
- resource: applications
verbs:
- get
objects:
- "*"And a ArgoCDProjectRoleBinding test-project-role-binding to bind the specified role to a single or multiple AppProjects:
apiVersion: rbac-operator.argoproj-labs.io/v1alpha1
kind: ArgoCDProjectRoleBinding
metadata:
name: test-project-role-binding
namespace: test-ns
spec:
argocdProjectRoleRef:
name: test-project-role
subjects:
- appProjectRef: test-appproject-1
groups:
- test-group-1
- test-group-2
- appProjectRef: test-appproject-2
groups:
- test-group-3
- test-group-4Create a new ArgoCDProjectRole and ArgoCDProjectRoleBinding using the provided example. (Make sure that both CRs and AppProjects are created in the same Namespace)
kubectl create -f test-project-role.yaml
kubectl create -f test-project-role-binding.yamlAfter the reconciliation a following role will be added to the specified AppProjects:
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: test-appproject-1
namespace: test-ns
spec:
description: "Test AppProject 1 for ArgoCD's RBAC Operator"
roles:
...
- description: Test role for ArgoCD's AppProjects
groups:
- test-group-1
- test-group-2
name: test-project-role
policies:
- p, proj:test-appproject-1:test-project-role, clusters, get, *, allow
- p, proj:test-appproject-1:test-project-role, clusters, watch, *, allow
- p, proj:test-appproject-1:test-project-role, applications, get, *, allow
...
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: test-appproject-2
namespace: test-ns
spec:
description: "Test AppProject 2 for ArgoCD's RBAC Operator"
roles:
...
- description: Test role for ArgoCD's AppProjects
groups:
- test-group-3
- test-group-4
name: test-project-role
policies:
- p, proj:test-appproject-2:test-project-role, clusters, get, *, allow
- p, proj:test-appproject-2:test-project-role, clusters, watch, *, allow
- p, proj:test-appproject-2:test-project-role, applications, get, *, allow
...If changes there made to the CRs, they also will be reflected in referenced AppProjects:
- changes to
spec.rulesof ArgoCDProjectRole- will be patched to AppProject on next reconcile of ArgoCDProjectRoleBinding
- changes to
spec.subjectsof ArgoCDProjectRoleBindings- deletion of a subject, will delete the role in AppProject
- change to subject will be reflected in AppProject on next reconcile
To delete a Role you can use kubectl
kubectl delete argocdprojectroles test-project-role
kubectl delete argocdprojectrolebindings test-project-role-bindingAfter the deletion of the Role or RoleBinding, the Role will also be deleted in AppProject.
- extend the operator with functionality to manage Argo CD AppProject RBAC
- achieve test coverage of >= 80% (current: ~75%)
- allow management for multi-instances set-up of Argo CD
