Image Credit: https://workos.com/blog/rbac-vs-abac
Back to ArgoCD, we have seen some important topics about GitOps and ArgoCD or related to that. Now let’s move to further and check other important feature which we should use to make the tool more standard for all the teams. In this post, lets see how to manage the ArgoCD RBAC configuration with some examples.
In this we are going to check how to mange the RBAC or handle the use using CLI and configMap.
What Is Role-Based Access Control?
Role-based access control is control over user groups and access to resources based on a defined role.
According to the National Institute of Science and Technology (NIST), “rudimentary forms of role-based access control were implemented in a variety of ad hoc forms on many systems beginning in the 1970s.” However, a formal model wasn’t proposed until 1992. Ferrailo and Kuhn published a paper that proposed an alternative to the traditional models of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). RBAC defined three basic requirements for access control:
A role is a collection of permissions. This allows organizations to grant appropriate permissions to employees or contractors, and ensure privileges and permissions keep to a role hierarchy.
Why Should Care About RBAC?
RBAC helps systems, businesses to protect their data and key processes through company-set rules and roles. Additionally, RBAC gives administrators increased visibility across various cloud tooling and IT systems. In addition, For DevOps teams, in particular, this is important as many teams exist and require varying amounts of control over specific workloads or groups of resources.
Login to ArgoCD using CLI
Before we start, lets login to ArgoCD and check current user, via CLI and UI.
# argocd login <your Argocd hostname/IP> --username admin
via UI: for this login to Argo CD in your browser and go to settings and Accounts. You could see the users.
Check the list of users on argoCD using,
# argocd account list
Create a new user from ConfigMap
As we seen, we don’t have much users in our system, now let’s extend to create new users from different teams, so we can distribute the tool with different teams and limited permissions. We are going to edit the ConfigMap directly in this example, if you templatized your Argo CD deployment, you can create a confirMap file.
# kubectl edit configmap argocd-cm -n argocd
please change the namespace “agrocd” with your own namespace name.
Add the data as following to the ConfigMap:
data: accounts.<your-username>: apiKey, login
This will add a new username and allow them to process an API key as well as login via the Command Line Interface and Graphical User Interface.
Apply the changes by running:
# kubectl apply -f argocd-cm.yml