Argo CD RBAC & Projects

⏱️ Estimated Time: 5 Minutes

👨‍💻 Role: Cluster Administrator and/or Developers

Argo CD has a default project configured out of the box. You’ve been creating your Applications in this Project to manage the cluster-scoped resources you’ve created so far, but separate projects are recommended if you want to create structured teams and environments, and enforce RBAC for Argo CD users.

In this module you’ll learn how to manage user groups in OpenShift, and how to manage projects and RBAC in Argo CD.

Login to Argo CD as a Non-Admin User

So far you’ve been using the Argo CD admin user to interact with Argo CD. Try using logging in via OAuth as the foo user instead:

Open a private browsing session.

You can start a private browser session using File > New Incognito Window or File > New Private Window. It will vary depending on your web browser of choice. You could also use a different browser, i.e if you’ve been using Chrome so far, use Firefox to login as the foo user.

Login to the OpenShift Web Console by following these steps:
- Select the standard-users identity provider.
- Enter the username: foo.
- Enter the password: foopassword.
- Click the Log in button.
Expand the Application Launcher icon (3x3 sqaure) in the top-right of the OpenShift Web Console.
Click the Cluster Argo CD link. This will open a new browser tab.
Accept the self-signed certificate warning if one appears. The login page will now appear.
Click the Log in via OpenShift button.
Login using the same standard-users identity provider, the foo username, and the foopassword password you used previously when prompted.
Click the Allow selected permissions button when prompted.

You should now be logged into the Argo CD dashboard as the foo user.

Observing RBAC in Argo CD

Now that you’ve logged into Argo CD as the non-admin foo user, try to synchronise an Application:

Click the Sync button on the console-customisations Application.
Click the Synchronize button in the overlay that appears.

A permission denied error should appear in the bottom right corner of the screen. The text might be truncated, but it will look similar to this:

Unable to deploy revision: permission denied: applications, sync, default/console-customisations

This error means that the current user does not have permission to perform the sync action on the console-customisations Application in the default Project.

Try using the X button on any of the Application tiles to delete them. A similar error will be returned, but instead it refers to the delete action:

Unable to delete application: permission denied: applications, delete, default/console-customisations

In short, the foo user was automatically granted a readonly role. You can confirm this by using the OpenShift Web Terminal (in your other browser session as the opentlc-mgr user) to view the Argo CD RBAC configuration/policies defined in the argocd-rbac-cm ConfigMap:

oc get cm argocd-rbac-cm -o yaml -n openshift-gitops

Notice that the default policy is specified as policy.default: role:readonly in the ConfigMap.

Next Steps

Now that you’ve seen that Argo CD enforces RBAC, you’ll need to create new Projects and grant OpenShift users access to them. This involves associating users in specific Groups with policies defined in the Argo CD Project.

As you might have guessed, this requires defining some more YAML resources, and will be managed with another Argo CD application. You might be starting to think that it’s tedious to set up each Application one-by-one. In the next section you’ll learn how to use the App of Apps Pattern to bootstrap your cluster with all of your Applications.

Summary

In this section you learned that Argo CD enforces RBAC for Projects. This might seem trivial, but it’s an important step in understanding how to manage your cluster and application resources.

In the next section you’ll use the App of Apps Pattern to setup RBAC and Projects. This will enable your developers to leverage Argo CD to continuously deliver their applications!