How to Manage ArgoCD RBAC configuration

0_yhcnrgG1T2spu7vT.jpg

Image Credit: https://workos.com/blog/rbac-vs-abac

Back to ArgoCD, we have seen some important topics about GitOps and ArgoCD or related to that. Now let’s move to further and check other important feature which we should use to make the tool more standard for all the teams. In this post, lets see how to manage the ArgoCD RBAC configuration with some examples.

In this we are going to check how to mange the RBAC or handle the use using CLI and configMap.

What Is Role-Based Access Control?

Role-based access control is control over user groups and access to resources based on a defined role.

According to the National Institute of Science and Technology (NIST), “rudimentary forms of role-based access control were implemented in a variety of ad hoc forms on many systems beginning in the 1970s.” However, a formal model wasn’t proposed until 1992. Ferrailo and Kuhn published a paper that proposed an alternative to the traditional models of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). RBAC defined three basic requirements for access control:

  1. Role Assignment: subjects are assigned roles and only allowed transactions if allowed by the defined user-role.
  2. Role Authorization: subjects only use roles for which they are authorized.
  3. Transaction Authorization: subjects only execute transactions authorized by that subject’s role memberships.

A role is a collection of permissions. This allows organizations to grant appropriate permissions to employees or contractors, and ensure privileges and permissions keep to a role hierarchy.

Why Should Care About RBAC?

RBAC helps systems, businesses to protect their data and key processes through company-set rules and roles. Additionally, RBAC gives administrators increased visibility across various cloud tooling and IT systems. In addition, For DevOps teams, in particular, this is important as many teams exist and require varying amounts of control over specific workloads or groups of resources.

Prerequisites:

Login to ArgoCD using CLI

Before we start, lets login to ArgoCD and check current user, via CLI and UI.

Via CLI:

                # argocd login <your Argocd hostname/IP> --username admin
            

via UI: for this login to Argo CD in your browser and go to settings and Accounts. You could see the users.

Check the list of users on argoCD using,

                # argocd account list
            

Create a new user from ConfigMap

As we seen, we don’t have much users in our system, now let’s extend to create new users from different teams, so we can distribute the tool with different teams and limited permissions. We are going to edit the ConfigMap directly in this example, if you templatized your Argo CD deployment, you can create a confirMap file.

                # kubectl edit configmap argocd-cm -n argocd
            

please change the namespace “agrocd” with your own namespace name.

Add the data as following to the ConfigMap:

                data:
  accounts.<your-username>: apiKey, login
            

This will add a new username and allow them to process an API key as well as login via the Command Line Interface and Graphical User Interface.

Apply the changes by running:

                # kubectl apply -f argocd-cm.yml
            

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies and get more readers

Join other developers and claim your FAUN account now!

Avatar

We are Foxutech

@foxutech
#devops #docker #github #rundeck #nagios #linux #containers #kubernetes #terraform #ansible #saltstack #security #automation #microservices #gitops #argocd #crossplane #prometheus
Stats
49

Influence

3k

Total Hits

11

Posts