This is an EXAMPLE(!) ArgoCD Projects (kind: AppProject) repository.
The ArgoCD application named "projects" (kind: Application) AUTO sync's these files!
Kustomize is used to patch the base files over with environment specific configs.
For local testing get the kustomize tool from https://kustomize.io
NB! Only ArgoCD admins should be allowed to manage this repository!
Splitting up the repositories provides option to manage permissions separately.
- https://github.com/villisco/argocd-setup - creates the projects application that auto syncs this repository.
- https://github.com/villisco/argocd-apps - sync source for apps (kind: Application)
argocd-projects
├── README.md
├── base
│ ├── kustomization.yaml
│ └── projects/
│ └── project1.yaml <!--- shared part of the project manifest for all envs
└── overlays
├── dev <!--- kubernetes cluster
│ ├── kustomization.yaml
│ └── projects
│ └── project1.yaml <!--- patch over base project with env sepcific conf
├── live
│ └── ...
└── test
└── ...
Project is an logical way of grouping Applications together in ArgoCD.
All Applications (kind: Application) must belong to an Project (kind: AppProject)!
Projects provide following features:
- restrict what may be deployed (trusted repositories)
- restrict where apps may be deployed to (destination clusters and namespaces)
- restrict what kinds of resources may or may not be deployed (e.g., RBAC, CRDs, DaemonSets, NetworkPolicy etc…)
- defining project roles to provide application RBAC (bound to OIDC groups and/or JWT tokens)
- define when application(s) are allowed to be synced with "Sync Windows"
Please define all new user Applications in argocd-apps repository!
RBAC permission structure:
p, <role/user/group>, <resource>, <action>, <appproject>/<object>, allow|deny
PS. Under project:
p, proj:<project-name>/<role-name>
Possible resources:
clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, extensions
NB! Roles under project inherit the restrictions configured to Project - you can not give permissions outside Projects allowed scope!
Possible actions:
get, create, update, delete, sync, override, action/<group/kind/action-name>
Define permissions under role and map role to an group.
Example:
apiVersion: argoproj.io/v1alpha1
kind: AppProject
name: my-project
spec:
roles:
- name: read-only
description: Read-only privileges to all apps in project
policies:
- p, proj:my-project:read-only, applications, get, my-project/*, allow
groups:
# add this group to users in keycloak
- my-project_read-only
- name: developer
description: Developer privileges to all apps in project
policies:
# allow all app actions except delete & create
- p, proj:my-project:developer, applications, *, my-project/*, allow
- p, proj:my-project:developer, applications, delete, my-project/*, deny
- p, proj:my-project:developer, applications, create, my-project/*, deny
# allow viewing project
- p, proj:my-project:developer, projects, get, my-project/*, allow
# allow viewing projects repositories
- p, proj:my-project:developer, repositories, get, my-project/*, allow
# allow viewing pod logs
- p, proj:my-project:developer, logs, get, my-project/*, allow
# do not allow exec into pods
- p, proj:my-project:developer, exec, create, my-project/*, deny
groups:
# add this group to users in keycloak
- my-project_developer
NB! After defining you can add groups (my-project_read-only, my-project_developer) to selected users in Keycloak "argocd" realm!
Create same named ArgoCD groups there (see permissions example).
Add users to groups to give them permissions in ArgoCD.
- https://argo-cd.readthedocs.io/en/stable/user-guide/projects/
- https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/
- https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
- https://argo-cd.readthedocs.io/en/latest/user-guide/commands/argocd_proj_role/
- https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv (example permissions)