Argo: Argo Workflow UI - Authentication and Authorization Feature

To the best of my knowledge, Workflows does not have any RBAC Auth features. We rely on Kubernetes' RBAC support to provide them. Don't take this for granted, but I don't think adding our own RBAC support is in our roadmap.

What would you think of each team having their own controller (i.e. instance of Argo)?

What would you think of each team having their own controller (i.e. instance of Argo)?

That's what we do. We leverage namespaced Argo installations.

We would also love similar OIDC functionality as ArgoCD for Argo Workflows UI. Our reason for this is that we're running an ETL process which may pass sensitive data via artifacts. Currently the UI exposes these files from the underlying S3 storage to anyone on the network. If the UI were at least behind OIDC similar to ArgoCD then this would be much less of an issue.

Please, if you have any thoughts on this do let me know.

We've worked around this problem by having a single Argo Workflow controller instance that can execute workflows in any namespace and deploying multiple ArgoUI instances in separate instances. The UI is fronted by github.com/pusher/oauth2_proxy to auth requests.

In version v2.4 you could front the Argo UI with your own ingress and configure permission in that.

In version v2.5 we'll plan to remove Argo UI. Instead, the new Argo Server can be run on your local machine and gets permissions from your KUBECONFIG, so you can only access what your config allows you to.

Alex

In version v2.4 you could front the Argo UI with your own ingress and configure permission in that.

In version v2.5 we'll plan to remove Argo UI. Instead, the new Argo Server can be run on your local machine and gets permissions from your KUBECONFIG, so you can only access what your config allows you to.

Alex

@alexec Is it a certainty that the argo workflow UI will be sunsetted come v2.5? Is the intent to have end users primary interface to workflows be through the argo CLI?

Now that Argo Workflows has a new and updated UI, I wonder if this issue could be revisited? It would still be very useful to have better control of who can access the UI (especially for folks in less tech orientated roles who might not even know what a KUBECONFIG is!)

@alexec

Hi we are rolling out argocd with okta integration and we are looking at argo workflow for some use cases, i wonder, why wasnt the codebase from the argocd project reused to allow the same sort of mechanisms? There's no way we can sell argo workflow without auth per user. This will be used by different teams with different degrees of knowledge

You can look at current options here: https://github.com/argoproj/argo/blob/master/docs/argo-server.md

I would like to prepare Argo environment as a workflow engine that manages tasks which our machine learning engineers requires.
I should not force such non-infra engineers to learn Kubernetes because they should concentrate on their own tasks. To achieve this, we need some common authentication like things implemented in Argo CD.
Is this an outlier requirement ?

Can Workflows UI just be unified in some way with Argo CD UI? It just doesn't make sense to have two different UIs and two different sets of Deployments/Services of Argo Server deployed in the same cluster if both Workflows and CD are used.

We are very much interested in this feature. We are planning to use Argo for ETL orchestration process and we want the prod support resources to use the centralized argo server for monitoring and submits workflows. so we want to limit the users access and also track the user UI action . we have implemented SSO intgeration for most of our application and we would want to the same for argo server as well. Any plans for this feature in the roadmap ?

Added a thumbsup to this as well ... a Dex implementation with RBAC similar to ArgoCD (and/or integrated with ArgoCD) would be a perfect add-on.

OAuth provider: https://github.com/oauth2-proxy/oauth2-proxy

@logicfox you mention use oauth-proxy. How do you secure your UI? Do you have CLI users.

@alexec with the SSO changes how will the API be secured? I was attempting to use client mode which secures the API fine however we run the UI as a deployment behind oauth2-proxy and in my testing it appears as using the bearer token to login to the UI was not working at all.

Just curious how SSO mode will handle the mix of UI and API authentication needs.

@logicfox you mention use oauth-proxy. How do you secure your UI? Do you have CLI users.

@alexec argo-server is proxied behind an authentication sidecar that listens on 3000. The service also exposes the usual port 2746. The authenticated UI endpoint is exposed through an ingress.

Users who need CLI access have access to the cluster. They port-forward the argo-server service and access it with the Argo CLI. We typically deploy the workflows through CI, so users don't typically need cluster access.

SSO done. RBAC still to do.

Nice work implementing this!

have a question - is it possible to have support for reading the client ID from a k8s secret, just like client secret? This will make it easier to provide that value externally, via facilities like external secrets, which in turn makes rotating secrets much easier. If that is acceptable I will be happy to PR the change.

Please submit a PR?

@alexec - With pleasure: https://github.com/argoproj/argo/pull/3207.

@alexec Any possibility of supporting SAML authentication for argo server(workflow) UI in future?

@alexec Any possibility of supporting SAML authentication for argo server(workflow) UI in future?

Could you use Dex to bridge the gap?

Hi @alexec I do see Dex usage for SAML 2.0 implementation similar to whats mentioned here for argo cd UI:https://argoproj.github.io/argo-cd/operator-manual/user-management/okta/. How would Okta SAML work with Dex with respect to argo workflow UI? I don't see any relevant config to enter in workflow configmap. Can you provide some references with example, if possible?

I think you must configure DEX to connect to your SAML provider, and then configure Argo to connect to DEX.

Update on this issue.

This is the most popular enhancement issue in Argo Workflows at the moment (by number of 👍 ). It combines two enhancements, SSO and RBAC, the first of which has been delivered.

SSO was an orthogonal enhancement, by which I mean it is independent to existing code, and therefore had low impact. So far no we have had only one small bug with it which was fixed with a single line code.

Because this ticket combines both SSO and RBAC - it is not possible to determine how popular RBAC is, and therefore how we should implement.

If you need RBAC:

• Vote for for issue #3525
• Comment on how you would like it to work - please be detailed!

I've locked this issue to force you to comment on the RBAC issue.

Closing in favour of #3525.