Argo Project RBAC and ApplicationSet #275

cnukwas · 2021-06-22T23:23:37Z

cnukwas
Jun 22, 2021

Hi,

We're just getting started with Argo CD and I am in the process of setting up Argo RBAC as per projects documentation.
Based on my limited understanding, as a cluster admin, we need to create one or more ApplicationSet(s) for teams and refer to the Argo Project names in that. Is this all we need to do in order to use Applicationset feature to let app teams Argo CD UI and CLI, to keep it separate for each teams Kubernetes deployments. Thinking of using Git directory generator to reduce additional step since it will auto create an Argo Application based on the template information.

Please comment if this is the right approach or I am missing anything here. We're using OpenShift GitOps operator which is nothing but an upstream version of Argo CD 2.0.x.

Thanks

Answered by jgwest

Jun 24, 2021

Hi cnukwas, this is correct: with Argo CD, the Argo RBAC is the primary way to support multitenant deployments of Applications. With this, the Argo CD administrator defines an AppProject resource that restricts what namespaces/git repositories an Application can deploy to/from, and then ensures that Applications that are generated are assigned to this project.

For example, this would create Applications based on the directories found within the Git repository, but restricting the Applications to the restrictions of the my-project project:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: cluster-addons
spec:
  generators:
  - git:
      repoURL: https://github.com/ar…

View full answer

jgwest · 2021-06-24T17:46:28Z

jgwest
Jun 24, 2021
Maintainer

Hi cnukwas, this is correct: with Argo CD, the Argo RBAC is the primary way to support multitenant deployments of Applications. With this, the Argo CD administrator defines an AppProject resource that restricts what namespaces/git repositories an Application can deploy to/from, and then ensures that Applications that are generated are assigned to this project.

For example, this would create Applications based on the directories found within the Git repository, but restricting the Applications to the restrictions of the my-project project:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: cluster-addons
spec:
  generators:
  - git:
      repoURL: https://github.com/argoproj-labs/applicationset.git
      revision: HEAD
      directories:
      - path: examples/git-generator-directory/cluster-addons/*
  template:
    metadata:
      name: '{{path.basename}}'
    spec:
      project: my-project  # my-project is the project that restricts the tenant
      source:
        repoURL: https://github.com/argoproj-labs/applicationset.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'

1 reply

cnukwas Jun 30, 2021
Author

Sorry for the late response, and thank you very much. This is exactly what I am looking for. I am creating OIDC groups and an Argo Project for each group with Argo RBAC to restrict deployments to set of namespaces, to allow each group to see or change team's Applications only.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Argo Project RBAC and ApplicationSet #275

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Argo Project RBAC and ApplicationSet #275

cnukwas Jun 22, 2021

Replies: 1 comment · 1 reply

jgwest Jun 24, 2021 Maintainer

cnukwas Jun 30, 2021 Author

cnukwas
Jun 22, 2021

Replies: 1 comment 1 reply

jgwest
Jun 24, 2021
Maintainer

cnukwas Jun 30, 2021
Author