You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding support for multiple argocd-rbac-cm-* configmaps to enable dynamic configuration of rbac permissions.
Motivation
With the introduction of the Web Terminal in UI we would really like to utilise it so our engineers can support escalations faster/easier. Kubectl is not an option, argocd web terminal is a perfect use case for this. With large organisations it's pretty common to use SSO and of course control rbac based on the user groups.
We install argocd using kustomize.yaml and we have a patchesStrategicMerge over the argocd-rbac-cm config map as the install.yaml manifest includes an empty argocd-rbac-cm config map.
So even with the patch the argocd-rbac-cm cm is pretty static. In order to add a new rbac role and group dynamically we have to play around with bash scripts and git commit inside the pipelines.
The following policy is an example of how this could be used. However that doesn't scale for tens/hundreds of applications.
Adding a new configmap on the other hand is pretty easy with helm/kustomize/terraform/...
@v1ctorrhs do you want to be able to specify extra ConfigMaps, or just specify extra CSVs within the existing configmap? The latter would be significantly easier.
Summary
Adding support for multiple
argocd-rbac-cm-*
configmaps to enable dynamic configuration of rbac permissions.Motivation
With the introduction of the Web Terminal in UI we would really like to utilise it so our engineers can support escalations faster/easier. Kubectl is not an option, argocd web terminal is a perfect use case for this. With large organisations it's pretty common to use SSO and of course control rbac based on the user groups.
We install argocd using kustomize.yaml and we have a
patchesStrategicMerge
over theargocd-rbac-cm
config map as the install.yaml manifest includes an emptyargocd-rbac-cm
config map.So even with the patch the
argocd-rbac-cm
cm is pretty static. In order to add a new rbac role and group dynamically we have to play around with bash scripts and git commit inside the pipelines.The following policy is an example of how this could be used. However that doesn't scale for tens/hundreds of applications.
Adding a new configmap on the other hand is pretty easy with helm/kustomize/terraform/...
Proposal
Adding support for multiple
csv
policy files. This will enable us to create multiple policies using configmaps and mount them in the same directory.Example
The text was updated successfully, but these errors were encountered: