1.建立使用者alice
kubectl apply -f argocd-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
# add an additional local user with apiKey and login capabilities
# apiKey - allows generating API keys
# login - allows to login using UI
accounts.alice: apiKey, login
# disables user. User is enabled by default
accounts.alice.enabled: "true"
檢視使用者:
[root@k8s ~]# argocd account list NAME ENABLED CAPABILITIES admin true login alice true apiKey, login
[root@k8s ~]# argocd account get --account alice
Name: alice
Enabled: true
Capabilities: apiKey, login
Tokens:
NONE
2.設定密碼
argocd account update-password \ --account alice \ --current-password BI7tl958Klzm2gB4 \ #當前登陸的使用者密碼 --new-password Qwer@1234 #alice密碼
登陸web,此時沒有任何許可權
3.RBAC賦予許可權
如果限制使用者只有某個project有許可權, 對應的git倉庫,cluster叢集資訊等也要新建對應project資源
argocd cluster add kubernetes-admin@kubernetes --project test2
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: role:readonly ##可以讀所有資源,如果不設定此選項,可見性根據具體role決定
policy.csv: |
p, role:org-admin, applications, *, */*, deny #app相關操作禁止
##p, role:org-admin, applications, *, test2/*, allow #只對test2 的project可以操作建立刪除等動作
p, role:org-admin, clusters, get, *, allow #alusters相關允許
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
p, role:org-admin, projects, get, *, allow
p, role:org-admin, projects, create, *, allow
p, role:org-admin, projects, update, *, allow
p, role:org-admin, projects, delete, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
g, alice, role:org-admin #role org-admin繫結使用者alice
參考:
https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/