Verifying & Understanding the AppProject and RBAC Rules

⏱️ Estimated Time: 5 Minutes

👨‍💻 Role: Cluster Administrator and/or Developers

Explore your new Applications and Project with Custom RBAC

Before moving on and seeing the effects of the newly synced Application resources, review the group.developers.yaml and group.operations.yaml files. These are simple Group CRs that define a list of Users that are part of the named Group.

You could add more users to the users list in either of these resources if you wanted to in the future. For the purposes of this workshop we need only small groups. Realistically, you’d probably add multiple users to a group.

View these synchronised files in Argo CD:

  1. Login to the Argo CD dashboard as the admin user.

  2. Select the rbac application.

  3. Click the application-dev resource in the tree view. An overlay will appear.

  4. Select the Desired Manifest tab in the overlay.

    ex7.argocd rbac dev

This Group CR defines corresponds to the group.developers.yaml file, and creates a group named application-dev that contains a single user named foo. The application-ops Group contains the bar user.

Next, take a look at the argo-projects Application:

  1. Login to the Argo CD dashboard as the admin user.

  2. Select the argo-projects application.

  3. Click the project-memes resource in the tree view. An overlay will appear.

  4. Select the Desired Manifest tab in the overlay.

    ex7.argocd project yaml

This file is synchronised from the argocd-projects/app-project.memes.yaml in your Git repository - it’s important and contains various comments explaining what it does! The main thing to take away is that it:

  • Creates an AppProject, i.e a Project in Argo CD.

  • Supports multiple destinations (target clusters and namespaces), though there’s only one defined in this example; the local cluster into which it has been applied.

  • Limits the target Namespaces to project-memes-dev and project-memes-prod, and does not whitelist any cluster-scoped resources. This is important; we want to restrict this Project to managing only resources in the defined Namespaces and not at the cluster-level!

  • Defines two roles: memes-development and memes-operations. Users in the application-dev and application-ops Groups created previously are associated with these, respectively. Effectively you’re creating a mapping between Argo CD policies and Groups of OpenShift users.

  • Defines independent RBAC policies for the memes-development and memes-operations roles.

Now that the rbac and argo-projects Application resources are synchronised, verify they had the desired effect.

Verify the Policies & RBAC

It’s time to verify the AppProject, Group, and the roles and policies were applied as expected to the foo user.

First, you’ll need to log out and log in again to make sure the Group/RBAC changes are detected and applied by the Argo CD instance:

  1. Create a private browsing session in your web browser.

  2. Login to the OpenShift Web Console as the foo user by following these steps:

    • Select the standard-users identity provider.

    • Enter the username: foo.

    • Enter the password: foopassword.

    • Click the Log in button.

  3. Expand the Application Launcher icon (3x3 square) in the top-right of the OpenShift Web Console.

    ex6.openshift ui argo link

  4. Click the Cluster Argo CD link. This will open a new browser tab.

  5. Accept the self-signed certificate warning if one appears. The login page will now appear.

  6. Click the Log in via OpenShift button.

  7. Login using the same standard-users identity provider, the foo username, and the foopassword password you used previously when prompted.

Confirm that Argo CD can see that the foo user is a member of the application-dev Group:

  1. Click the User Info icon on the left-hand menu in the Argo CD dashboard.

  2. Confirm that the foo user’s info shows that they’re part of the application-dev Group:

    ex7.argocd user info

Next, confirm the AppProject and roles:

  1. Click on the Settings (cog/wheel) icon on the left-hand menu in the Argo CD dashboard.

  2. Select Projects from the list of items. A project-memes Project should be listed.

  3. Click on the project-memes item in the Project list.

  4. Switch to the Roles tab and confirm that the memes-development and memes-operations items are listed.

  5. Click on the memes-development role. An overlay should appear.

    ex7.argocd roles policy

  6. Confirm that the the Groups section in the overlay shows that the users in the application-dev group are bound to memes-development role in this Argo CD Project.

Summary

Congratulations! You learned how to:

  • Bootstrap a cluster with a set of Applications, templated using a Helm chart.

  • Define Groups in OpenShift, and add OpenShift users to those Groups.

  • Create Projects, Roles, and Policies in Argo CD using AppProject CRs.

In the next section you’ll learn how to implement continuous deployment for a containerised application using Argo CD.