Argo-cd: Add support for adding individual users via rbac
Is your feature request related to a problem? Please describe.
I have argo-cd setup to authenticate my users. They are able to login but are unable to see any admin created applications.
I have attempted to add the rbac policy as documented but no access is granted and users still have zero visibility.
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: role:readonly
policy.csv: |
g, company.com:[email protected], role:admin
Describe the solution you'd like
I would like examples adding to the documentation on how to add individual users to admin groups.
jl431
All 18 comments
Assuming you're using oidc, we update the rbac scope to include email.
Example (values for helm chart):
rbac:
create: true
policyCsv:
- g, [email protected], role:admin
scopes: "[email, group]"
policyDefault: ""
servo1x
on 8 Oct 2019
I am using oicdConfig.
My argocd-rbac-cm contains the following:
apiVersion: v1
data:
policy.csv: |
g, [email protected], role:admin
scopes: '[email, group]'
kind: ConfigMap
metadata:...
But the user still has no visibility once logged in.
argocd v1.2.3
jl431
on 8 Oct 2019
When templating your exact values above, I get a malformed config map.
rbac:
create: true
policyCsv:
- g, [email protected], role:admin
scopes: "[email, group]"
policyDefault: ""
helm template ./mycharts/argocd --name argocd --namespace mynamespace > test.yaml
# Source: argocd/charts/argo-cd/templates/argocd-rbac-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
labels:
app.kubernetes.io/name: argo-cd
helm.sh/chart: argo-cd-0.5.4
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/part-of: argocd
data:
policy.csv: - g, [email protected], role:admin
scopes: [email, group]
Note the list attempt in the csv. Maybe this is a bug?
jl431
on 8 Oct 2019
@jl431, ah we use a custom helm chart, for the one provided by argo-cd - the policy.csv should be a string.
policy.csv: |
g, [email protected], role:admin
@jl431 try looking in the argocd dex container logs to see what your usernames coming in from your SSO server look like:
argocd-dex-server-7f468b9dd7-mm8ql dex {"connector":"Okta","level":"info","msg":"parsed and verified saml response attributes \"email\" = \"[email protected]\", \"group\" = \"eng-inerding\"","time":"2019-10-11T23:51:26Z"}
argocd-dex-server-7f468b9dd7-mm8ql dex {"level":"info","msg":"login successful: connector \"okta\", username=\"stgarf\", email=\"[email protected]\", groups=[\"eng-inerding\"]","time":"2019-10-11T23:51:26Z"}
and also changes #2503 for the RBAC docs might help you here once they're merged.
stgarf
on 16 Oct 2019
@jl431 It is working when we add single email, how to add multiple email id as a group in it.
I tried like this but didn't work
```
policy.csv: |
g, [[email protected], [email protected]], role:admin
policy.default: role:readonly
scopes: '[email]'
Beer786
on 4 Mar 2020
@Beer786 I also couldn't get it working via groups. My users are added individually, which isn't ideal.
jl431
on 4 Mar 2020
I'm also trying to configure SSO and RBAC using Okta as IDP, but I could not get it working using Okta group :(
The documentation is not clear enough regarding the RBAC configuration with certain IDP providers (Google, Okta...)
nhuray
on 6 Mar 2020
We got SAML working with Okta with groups, leaving it here as an offering to those struggling with this issue and I found this trail useful
kubectl edit cm argocd-rbac-cm -n argocd
---
apiVersion: v1
data:
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, applications, *, *, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, <<org name in okta>>:argocd-dev, role:org-admin
policy.default: role:readonly
kind: ConfigMap
metadata:
creationTimestamp: "2020-04-01T14:35:46Z"
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
helm.sh/chart: argo-cd-2.0.3
name: argocd-rbac-cm
namespace: argocd
resourceVersion: "883786"
selfLink: /api/v1/namespaces/argocd/configmaps/argocd-rbac-cm
uid: 12c20412-7426-11ea-8aed-42010a8e0076
We had to base64 encode the entire certificate in the caData field to get the config map to work which took a bit of time to figure out as well.
Hope it helps someone, lots of gotchas here.
saranicole
on 2 Apr 2020
@jl431 @nhuray @saranicole
I went through the same trials and tribulations as you all seem to have (only it was about 8 months ago) and so I wrote some documentation for it... (long and short, try to use SAML if possible -- unless you're paying Okta extra $$ you can't get OIDC).
I'm curious if you guys found the documentation lacking in setting up Okta with Argo CD? If there's some gotchas or missed spots in the docs please submit a PR it'd be greatly appreciated :) Thanks!
stgarf
on 3 Apr 2020
@stgarf thanks for the doc and the inspiration! I opened issue https://github.com/argoproj/argo-cd/issues/3352 and PR https://github.com/argoproj/argo-cd/pull/3351, as well as issue https://github.com/argoproj/argo-cd/issues/3354 for a lingering question on the redirectURI.
saranicole
on 3 Apr 2020
💖 thanks!
On Fri, Apr 3, 2020 at 7:08 AM Sara Jarjoura notifications@github.com
wrote:
@stgarf https://github.com/stgarf thanks for the doc and the
inspiration! I opened issue #3352
https://github.com/argoproj/argo-cd/issues/3352 and PR #3351
https://github.com/argoproj/argo-cd/pull/3351—
You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub
https://github.com/argoproj/argo-cd/issues/2424#issuecomment-608453729,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAM5SMVAXKUHSTNF6W2MA6LRKXUU7ANCNFSM4I6ELXRQ
.
stgarf
on 3 Apr 2020
@saranicole so glad i found this post. i was pulling my hair out why my cert isnt working when i enabled okta integration. i didnt know you have to base64 encode the cert from okta :)
renperez
on 3 Jun 2020
For anyone using NOT using SSO and is using local user accounts the argocd-rbac-cm should be as follows:
data:
policy.default: role:readonly
policy.csv: |
p, alice, applications, *, */*, allow
scopes: '[accounts]'
The mention of scopes in this thread helped! I could not find it documented in the RBAC configuration docs for local users.
Thank you!
wojtek-viirtue
on 11 Aug 2020
I ran into an issue with the the above where specifying policy.default: role:readonly took precedence over what I had defined in policy.csv (note - I didn't apply scopes).
johnkost
on 23 Sep 2020
@johnkost then what's the fix ?
abdennour
on 24 Sep 2020
I removed policy.default. I wasn't able to find any other workarounds
johnkost
on 24 Sep 2020
@wojtek-viirtue did you find a solution since August ?
The following solution works
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: role:readonly
policy.csv: |
p, alice, applications, *, *, allow
p, alice, clusters, *, *, allow
p, alice, repositories, get, *, allow
p, alice, repositories, create, *, allow
p, alice, repositories, update, *, allow
p, alice, repositories, delete, *, allow
Chabane
on 21 Nov 2020
Related issues
rosscdh
·
20Comments
gregdurham
·
27Comments
alexmt
·
18Comments
anggao
·
17Comments
tschonnie
·
31Comments
Most helpful comment
For anyone using NOT using SSO and is using local user accounts the argocd-rbac-cm should be as follows:
The mention of scopes in this thread helped! I could not find it documented in the RBAC configuration docs for local users.
Thank you!