apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: argocd
name: argocd-readonly
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-readonly-binding
namespace: argocd
subjects:
- kind: User
name: $USERNAME # Replace with the actual username
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: argocd-readonly
apiGroup: rbac.authorization.k8s.io
Replace $USERNAME with your argo user
Syntax for argo RBAC:
data:
policy.csv: |
# Grant read-only access to user1 for a specific project
g, user1, role:readonly
# Grant read-write access to user2 for the same project
g, user2, role:readwrite
# Define what the readonly role can do
p, role:readonly, projects, get, <project-name>, allow
p, role:readonly, projects, list, <project-name>, allow
p, role:readonly, applications, get, <project-name>/*, allow
p, role:readonly, applications, list, <project-name>/*, allow
# Define what the readwrite role can do
p, role:readwrite, projects, get, <project-name>, allow
p, role:readwrite, projects, list, <project-name>, allow
p, role:readwrite, projects, create, <project-name>, allow
p, role:readwrite, projects, update, <project-name>, allow
p, role:readwrite, projects, delete, <project-name>, allow
p, role:readwrite, applications, get, <project-name>/*, allow
p, role:readwrite, applications, list, <project-name>/*, allow
p, role:readwrite, applications, create, <project-name>, allow
p, role:readwrite, applications, update, <project-name>, allow
p, role:readwrite, applications, delete, <project-name>, allow
Example file used in the video:
apiVersion: v1
data:
policy.csv: |
g, shankey, role:readonly
p, role:readonly, projects, get, default, allow
p, role:readonly, projects, list, default, allow
kind: ConfigMap
metadata:
creationTimestamp: "2024-11-04T07:07:19Z"
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
namespace: argocd