Argo: RBAC authorization for non-admins

Created on 9 Feb 2018  路  4Comments  路  Source: argoproj/argo

What happened:
I'm having issues with RBAC, granting the same access to my developers group I can only execute argo commands if using an admin account. Using a developer account, I have this problem:

argo submit --serviceaccount argo --namespace argo https://raw.githubusercontent.com/argoproj/argo/master/examples/artifact-passing.yaml

2018/02/08 15:47:05 Workflow manifest https://raw.githubusercontent.com/argoproj/argo/master/examples/artifact-passing.yaml failed submission: workflows.argoproj.io is forbidden: User "developers-staging" cannot create workflows.argoproj.io in the namespace "argo"

Couldn't find what kind of permissions I need to grant to my developers group. They can create/patch/update/get pods on the argo namespace. Tried a buch of different rules and still the same issue.

What you expected to happen:
This is what happens when I run the same command using an admin account.

argo submit --serviceaccount argo --namespace argo https://raw.githubusercontent.com/argoproj/argo/master/examples/artifact-passing.yaml
Name: artifact-passing-4qx6v
Namespace: argo
ServiceAccount: argo
Status: Pending
Created: Thu Feb 08 15:51:55 -0800 (now)

How to reproduce it (as minimally and precisely as possible):
I created a separeted namespace called argo and service account argo, as I didn't want to grant too much permissions to default.
Everything works fine when I run commands as an administrator, but if I change my kubectl context to developers, no matter what permissions I grant, it still can't submit.

Environment:

  • Argo version:
    argo: v2.0.0
    BuildDate: 2018-02-06T21:39:43Z
    GitCommit: 0978b9c61cb7435d31ef8d252b80e03708a70adc
    GitTreeState: clean
    GitTag: v2.0.0
    GoVersion: go1.9.1
    Compiler: gc
    Platform: linux/amd64
  • Kubernetes version :
    gitVersion: v1.8.4
    goVersion: go1.8.3
picture nelsonfassis

Most helpful comment

Here is the example policy rule in go that the controller uses:

    ArgoControllerPolicyRules = []rbacv1.PolicyRule{
...
        {
            APIGroups: []string{"argoproj.io"},
            Resources: []string{"workflows"},
            Verbs:     []string{"get", "list", "watch", "update", "patch"},
        },
    }
picture jessesuen on 9 Feb 2018
3 🎉1

All 4 comments

CRDs permissions are no different than regular kubernetes resource and you will need to edit the RBAC rules for that role binding appropriately to create/delete/update/patch/etc... resources of type workflows.argoproj.io.

jessesuen picture jessesuen on 9 Feb 2018
👍1

Here is the example policy rule in go that the controller uses:

    ArgoControllerPolicyRules = []rbacv1.PolicyRule{
...
        {
            APIGroups: []string{"argoproj.io"},
            Resources: []string{"workflows"},
            Verbs:     []string{"get", "list", "watch", "update", "patch"},
        },
    }
jessesuen picture jessesuen on 9 Feb 2018
3 🎉1

That was it. Perfectly

  • apiGroups: ["argoproj.io"]
    resources: ["workflows"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
    Just added it to my role and it works now. I spent hours researching it I didn't see or notice how I could use it. Thank you so much @jessesuen
nelsonfassis picture nelsonfassis on 9 Feb 2018
👍3

This helped me, too, thanks @nelsonfassis @jessesuen!

kevincantu picture kevincantu on 12 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

srados picture srados  路  3Comments
jessesuen picture jessesuen  路  4Comments
hden picture hden  路  3Comments
tommyJimmy87 picture tommyJimmy87  路  3Comments
logicfox picture logicfox  路  4Comments