Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple rbac configmap support #9972

Closed
v1ctorrhs opened this issue Jul 13, 2022 · 3 comments
Closed

Multiple rbac configmap support #9972

v1ctorrhs opened this issue Jul 13, 2022 · 3 comments
Labels
enhancement New feature or request security Security related

Comments

@v1ctorrhs
Copy link

Summary

Adding support for multiple argocd-rbac-cm-* configmaps to enable dynamic configuration of rbac permissions.

Motivation

With the introduction of the Web Terminal in UI we would really like to utilise it so our engineers can support escalations faster/easier. Kubectl is not an option, argocd web terminal is a perfect use case for this. With large organisations it's pretty common to use SSO and of course control rbac based on the user groups.

We install argocd using kustomize.yaml and we have a patchesStrategicMerge over the argocd-rbac-cm config map as the install.yaml manifest includes an empty argocd-rbac-cm config map.

So even with the patch the argocd-rbac-cm cm is pretty static. In order to add a new rbac role and group dynamically we have to play around with bash scripts and git commit inside the pipelines.

The following policy is an example of how this could be used. However that doesn't scale for tens/hundreds of applications.
Adding a new configmap on the other hand is pretty easy with helm/kustomize/terraform/...

  policy.csv: |
    p, role:escalation, applications, get, */*, allow
    p, role:escalation, clusters, get, *, allow
    p, role:escalation, repositories, get, *, allow
    p, role:escalation, logs, get, */*, allow
    p, role:escalation, exec, create, applications/environment1, allow
    
    g, admin, role:admin
    g, escalation_group, role:escalation

Proposal

Adding support for multiple csv policy files. This will enable us to create multiple policies using configmaps and mount them in the same directory.

Example

   admin_policy.csv: |    
    g, admin, role:admin

   foo_policy.csv: |    
    p, role:foo, applications, get, */*, allow
    p, role:foo, clusters, get, *, allow
    p, role:foo, repositories, get, *, allow
    p, role:foo, logs, get, */*, allow
    p, role:foo, exec, create, applications/foo, allow
    
    g, foo, role:foo

   bar_policy.csv: |    
    p, role:bar, applications, get, */*, allow
    p, role:bar, clusters, get, *, allow
    p, role:bar, repositories, get, *, allow
    p, role:bar, logs, get, */*, allow
    p, role:bar, exec, create, applications/bar, allow
    
    g, bar, role:bar
@v1ctorrhs v1ctorrhs added the enhancement New feature or request label Jul 13, 2022
@notfromstatefarm
Copy link
Contributor

@v1ctorrhs do you want to be able to specify extra ConfigMaps, or just specify extra CSVs within the existing configmap? The latter would be significantly easier.

@crenshaw-dev crenshaw-dev added the security Security related label Jul 13, 2022
@notfromstatefarm notfromstatefarm mentioned this issue Jul 13, 2022
Open
8 tasks
@notfromstatefarm
Copy link
Contributor

That actually wasn't as hard as I thought! Implemented in #9976

@crenshaw-dev
Copy link
Collaborator

crenshaw-dev commented Oct 14, 2022
edited

Closing as a duplicate of #8324

@crenshaw-dev crenshaw-dev closed this as not planned Won't fix, can't repro, duplicate, stale Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security Security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crenshaw-dev @v1ctorrhs @notfromstatefarm