Back to ArgoCD, we have seen some important topics about GitOps and ArgoCD or related to that. Now let’s move to further and check other important feature which we should use to make the tool more standard for all the teams. In this post, let’s see how to manage the ArgoCD RBAC configuration with some examples.
In this we are going to check how to manage the RBAC or handle the use using CLI and configMap.
What Is Role-Based Access Control?
Role-based access control is control over user groups and access to resources based on a defined role.
According to the National Institute of Science and Technology (NIST), “rudimentary forms of role-based access control were implemented in a variety of ad hoc forms on many systems beginning in the 1970s.” However, a formal model wasn’t proposed until 1992. Ferrailo and Kuhn published a paper that proposed an alternative to the traditional models of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). RBAC defined three basic requirements for access control:
- Role Assignment: subjects are assigned roles and only allowed transactions if allowed by the defined user-role.
- Role Authorization: subjects only use roles for which they are authorized.
- Transaction Authorization: subjects only execute transactions authorized by that subject’s role memberships.
A role is a collection of permissions. This allows organizations to grant appropriate permissions to employees or contractors, and ensure privileges and permissions keep to a role hierarchy.
Why Should Care About RBAC?
RBAC helps systems, businesses to protect their data and key processes through company-set rules and roles. Additionally, RBAC gives administrators increased visibility across various cloud tooling and IT systems. In addition, For DevOps teams, in particular, this is important as many teams exist and require varying amounts of control over specific workloads or groups of resources.
Prerequisites:
- Azure Kubernetes Service up and running, if you don’t have one, please follow the steps with terraform to create it. How to create Azure Kubernetes Service using Terraform — FoxuTech
- Kubectl installed in the VM or machine you are going to manage the AKS.
- Have a kubeconfig file (default location is ~/.kube/config).
- Argo CD setup. If not, available you can refer Setup ArgoCD on Azure Kubernetes Services — FoxuTech
- Install ArgoCD CLI also from Setup ArgoCD on Azure Kubernetes Services — FoxuTech.
Login to ArgoCD using CLI
Before we start, lets login to ArgoCD and check current user, via CLI and UI.
Via CLI:
# argocd login <your Argocd hostname/IP> --username adminvia UI: for this login to Argo CD in your browser and go to settings and Accounts. You could see the users.
Check the list of users on argoCD using,
# argocd account listCreate a new user from ConfigMap
As we seen, we don’t have many users in our system, now let’s extend to create new users from different teams, so we can distribute the tool with different teams and limited permissions. We are going to edit the ConfigMap directly in this example, if you templatized your Argo CD deployment, you can create a confirMap file.
# kubectl edit configmap argocd-cm -n argocdplease change the namespace “agrocd” with your own namespace name.
Add the data as following to the ConfigMap:
data:
accounts.<your-username>: apiKey, loginThis will add a new username and allow them to process an API key as well as login via the Command Line Interface and Graphical User Interface.
Apply the changes by running:
# kubectl apply -f argocd-cm.ymlRead more How to Manage ArgoCD RBAC configuration — FoxuTech
If you like this post BuyMeACoffee: https://www.buymeacoffee.com/foxutech
