3

I'm trying to understand the concept RBAC in ArgoCD and I have some questions please. According to this doc and this doc, I found out that we could configure RBAC rules either with ConfigMap(argocd-rbac-cm) or directly in AppProject. And what I don't understand is what are the differences between these two options? Like in what scenario we'll use this one over that one? Because when I do like this, for example:

# First Setup
# ConfigMap argocd-rbac-cm.yaml
...
policy.csv: |
    p, role:test-role, applications, *, appproject-1/*, allow
    g, nxh6991@gmail.com, role:test-role
scopes: ['email', 'group']

--------------------------------------
# Second setup
# AppProject
kind: AppProject
metadata:
  name: appproject-1
...
spec:
  roles:
    - name: test-role
      policies:
      - p, role:test-role, applications, *, appproject-1/*, allow
      - g, nxh6991@gmail.com, role:test-role

I see there are no differences here but the first one works and the second one doesn't. Meaning that with the first setup, nxh6991@gmail.com could access to any resources in AppProject appproject-1 and could do anything (create, sync, etc) but the second setup give nxh6991@gmail.com nothing. I do think there is something happened behind the scene here but I couldn't figure that out of myself. Could you guys please point this out to me if possible, please?

In fact, I use email nxh6991@gmail.com as my example because I'm trying to setup ArgoCD using SSO with Google. So my second question is: for now, my SSO works just fine (meaning people could access Argo Web UI by using their own Google Account) and I want to use RBAC to enable restriction of access to Argo CD resources. For more detail, I just want that members in each team (like team-dev, team-test, etc) could only access to their own predefined AppProject, not the others. So, what would the best practices be in this case, please? I mean I should use the RBAC with ConfigMap or AppProject? Or do we have another solution?

Thank you guys !!!

nxh6991
  • 377
  • 5
  • 13

1 Answers1

0

First Question: Not sure you can assign users in the AppProject the way you have above. I have only seen examples for policies and groups assignments, not individual user assignments - https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#configuring-rbac-with-projects. You may want to lean into groups (its better this way anyways bc you dont want to manage identities if you dont have to)

Second Question: I manage RBAC for over 300 engineers in a microservice architecture; we have around 20 projects as well. I leverage the ConfigMap so I have control over access (until our Okta group strategy develops further). Since we manage our Argo declaratively, I have users add their email addresses to the rbac configmap under the correct project; this then goes through a pull request process where I (or someone on my team) confirms the changes. I think managing identity is super important...so I prefer to have the godlike powers to approve/deny folks.

Also, this is a great preso from a core contributor (Michael Crenshaw) around protecting ArgoCD - https://www.youtube.com/watch?v=bRNMI29F2fI. Highly Recommend!

LostJon
  • 2,287
  • 11
  • 20
  • Hi @LostJon, thank you for your answer. For my Second Question, I do understand now and thank for the youtube video recommandation. For my First Question, I've read a lot about the concept "group" in ArgoCD. And to be honest, I don't understand, like, how could I create a "group" or how could I add user email (for ex) into a "group"? Did I missunderstand something, please? Thank you so much – nxh6991 Nov 22 '22 at 14:46
  • I believe the the `groups` is for your SSO groups. since you define `scopes: [email,group]` within your SSO config, you can assign that to your app project. "I believe" this is the meaning of groups – LostJon Nov 22 '22 at 15:22
  • just confirming that my above assumption is true - https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#projects. `defining project roles to provide application RBAC (bound to OIDC groups and/or JWT tokens)` – LostJon Nov 22 '22 at 15:25
  • Notice the `spec.roles[0].name` == `test-role` which matches/conflicts the name in `role:test-role` under the policy. try changing the name of one of them so they don't conflict. – Sam Lee May 25 '23 at 04:01