Red Hat SummitChapter 3. Customizing permissions by creating aggregated cluster roles
The default cluster role for the Argo CD Application Controller has a specific set of hard-coded permissions. The Red Hat OpenShift GitOps Operator manages this cluster role, so you cannot modify it. As a cluster administrator, you can customize the permissions by using any one of the following methods:
3.1. Aggregated cluster roles
By using aggregated cluster roles, you do not have to define permissions by creating new cluster roles from scratch. Instead, you can combine several cluster roles into a single one.
With Red Hat OpenShift GitOps 1.14 and later, as a cluster administrator, you can use aggregated cluster roles and enable users to easily add user-defined permissions for Argo CD Application Controller.
- The aggregated cluster roles functionality is optional and disabled by default. You can create aggregated cluster roles only for the Argo CD Application Controller component of a cluster-scoped Argo CD instance.
-
Deleting the
aggregatedClusterRolesfield from the Argo CD custom resource (CR) does not delete the user-defined cluster role. You must manually delete the user-defined cluster role using the CLI or UI.
3.2. Prerequisites
- You understand aggregated cluster roles.
- You have installed Red Hat OpenShift GitOps on your OpenShift Container Platform cluster.
-
You have installed the OpenShift CLI (
oc). -
You have installed the Red Hat OpenShift GitOps
argocdCLI. - You have installed a cluster-scoped Argo CD instance in your defined namespace.
You have validated that the user-defined cluster-scoped instance is configured with the cluster roles and cluster role bindings for the following components:
- Argo CD Application Controller
- Argo CD server
- Argo CD ApplicationSet Controller, if ApplicationSet Controller is created
- You have disabled the creation of the default cluster roles for the cluster-scoped instance.
3.3. Creating aggregated cluster roles
The process of creating aggregated cluster roles consists of the following procedures:
- Enabling the creation of aggregated cluster roles
- Creating user-defined cluster roles and configuring user-defined permissions for Application Controller
3.3.1. Enable the creation of aggregated cluster roles
You can enable the creation of aggregated cluster roles by setting the value of the .spec.aggregatedClusterRoles field to true in the Argo CD custom resource (CR). When you enable the creation of aggregated cluster roles, the Red Hat OpenShift GitOps Operator takes the following actions:
-
Creates an
<argocd_name>-<argocd_namespace>-argocd-application-controlleraggregated cluster role with a predefinedaggregationRulefield by default. - Creates a corresponding cluster role binding and manages it.
-
Creates and manages
viewandadmincluster roles for Application Controller to add user-defined permissions into the aggregated cluster role.
3.3.2. Create user-defined cluster roles and configure user-defined permissions
To configure user-defined permissions into the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role and aggregated cluster role, you must create one or more user-defined cluster roles with the argocd/aggregate-to-admin: 'true' label and then configure the user-defined permissions for Application Controller.
-
The aggregated cluster role inherits permissions from the
<argocd_name>-<argocd_namespace>-argocd-application-controller-adminand<argocd_name>-<argocd_namespace>-argocd-application-controller-viewcluster roles. -
The
<argocd_name>-<argocd_namespace>-argocd-application-controller-admincluster role inherits permissions from the user-defined cluster role.
3.4. Enabling the creation of aggregated cluster roles
To enable the creation of aggregated cluster roles for the Argo CD Application Controller component of a cluster-scoped Argo CD instance, you must configure the corresponding field by editing the YAML file of the Argo CD custom resource (CR).
Procedure
In the Argo CD CR, set the value of the
.spec.aggregatedClusterRolesfield totrue:Example Argo CD CR:
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example namespace: spring-petclinic # ... spec: aggregatedClusterRoles: true # ...where:
metadata.name- Specifies the name of the cluster-scoped instance.
metadata.namespace- Specifies the namespace where you want to run the cluster-scoped instance.
spec.aggregatedClusterRoles-
Specifies the value of the cluster roles to enable the creation of aggregated cluster roles. If you do not want to enable the creation of aggregated cluster roles, either do not include this line or set the value to
false.
Example output:
argocd.argoproj.io/example configuredVerify that the
Statusfield of the cluster-scoped Argo CD instance shows asPhase: Availableby running the following command:$ oc describe argocd.argoproj.io/example -n spring-petclinicExample output:
Name: example Namespace: spring-petclinic Labels: <none> Annotations: <none> API Version: argoproj.io/v1beta1 Kind: ArgoCD Metadata: Creation Timestamp: 2024-08-14T08:20:53Z Finalizers: argoproj.io/finalizer Generation: 3 Resource Version: 60437 UID: 57940e54-d60b-4c1a-bc4a-85c81c63ab69 Spec: Aggregated Cluster Roles: true ... Status: Application Controller: Running Application Set Controller: Unknown Phase: Available Redis: Running Repo: Running Server: Running Sso: Unknown Events: <none>The
Availablestatus indicates that the cluster-scoped Argo CD instance is healthy and available.NoteThe Red Hat OpenShift GitOps Operator creates the following default cluster roles and manages them:
-
<argocd_name>-<argocd_namespace>-argocd-application-controlleraggregated cluster role -
<argocd_name>-<argocd_namespace>-argocd-application-controller-view -
<argocd_name>-<argocd_namespace>-argocd-application-controller-admin
-
Verify that the Operator has created the default cluster roles and cluster role bindings for the Argo CD Application Controller and Argo CD server components by running the following commands:
$ oc get ClusterRoles -l app.kubernetes.io/part-of=argocdExample output:
NAME CREATED AT example-spring-petclinic-argocd-application-controller 2024-08-14T08:20:58Z example-spring-petclinic-argocd-application-controller-admin 2024-08-14T09:08:38Z example-spring-petclinic-argocd-application-controller-view 2024-08-14T09:08:38Z example-spring-petclinic-argocd-server 2024-08-14T08:20:59Z$ oc get ClusterRoleBindings -l app.kubernetes.io/part-of=argocdExample output:
NAME ROLE AGE example-spring-petclinic-argocd-application-controller ClusterRole/example-spring-petclinic-argocd-application-controller 54m example-spring-petclinic-argocd-server ClusterRole/example-spring-petclinic-argocd-server 54mThe cluster role bindings for the
viewandadmincluster roles are not created. This is because theviewandadmincluster roles only add permissions to the aggregated cluster role and do not directly configure permissions to the Argo CD Application Controller.TipAlternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User Management
Roles and User Management RoleBindings, respectively. You can search for the cluster roles and cluster role bindings that have the app.kubernetes.io/part-of:argocdlabel.Verify that the aggregated cluster role is created by checking the permissions of outputs of the roles created by running the following command:
$ oc get ClusterRole/<cluster_role_name> -o yamlwhere:
<cluster_role_name>- Specifies the name of the role created.
Example output of the aggregated cluster role:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: argocds.argoproj.io/name: example argocds.argoproj.io/namespace: spring-petclinic kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}} rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2024-08-14T08:20:58Z" labels: app.kubernetes.io/managed-by: spring-petclinic app.kubernetes.io/name: example app.kubernetes.io/part-of: argocd name: example-spring-petclinic-argocd-application-controller resourceVersion: "78640" uid: aeeb2ef5-b531-4fe3-a61a-b5ad8dd8ca6e aggregationRule: clusterRoleSelectors: - matchLabels: app.kubernetes.io/managed-by: spring-petclinic argocd/aggregate-to-controller: "true" rules: []where:
metadata.name- Specifies the name of the aggregated cluster role.
aggregationRule.clusterRoleSelectors- Specifies the predefined list of labels indicates that the aggregated cluster role can inherit permissions from the other user-defined cluster roles.
rules-
Specifies the predefined permissions. However, when the Operator immediately creates a
<argocd_name>-<argocd_namespace>-argocd-application-controller-viewcluster role, the corresponding predefinedviewpermissions are added into the aggregated cluster role.
Example output of the
viewcluster role:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: argocds.argoproj.io/name: example argocds.argoproj.io/namespace: spring-petclinic kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}} creationTimestamp: "2024-08-14T09:59:14Z" labels: app.kubernetes.io/managed-by: spring-petclinic app.kubernetes.io/name: example app.kubernetes.io/part-of: argocd argocd/aggregate-to-controller: "true" name: example-spring-petclinic-argocd-application-controller-view resourceVersion: "78639" uid: 068b8867-7a0c-4af3-a17a-0560a00eba41 rules: - apiGroups: - '*' resources: - '*' verbs: - get - list - watch - nonResourceURLs: - '*' verbs: - get - listwhere:
metadata.labels- Defines the labels to match the predefined list of an existing aggregated cluster role.
metadata.name-
Specifies the name of the
viewcluster role. rules-
Specifies the predefined
viewpermissions. These permissions are added into the existing aggregated cluster role.
Example output of the
admincluster role:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: argocds.argoproj.io/name: example argocds.argoproj.io/namespace: spring-petclinic kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}} rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2024-08-14T09:59:15Z" labels: app.kubernetes.io/managed-by: spring-petclinic app.kubernetes.io/name: example app.kubernetes.io/part-of: argocd argocd/aggregate-to-controller: "true" name: example-spring-petclinic-argocd-application-controller-admin resourceVersion: "78642" uid: e2d35b6f-0832-4993-8b24-915a725454f9 aggregationRule: clusterRoleSelectors: - matchLabels: app.kubernetes.io/managed-by: spring-petclinic argocd/aggregate-to-admin: "true" rules: nullwhere:
metadata.labels- Specifies the labels to match the predefined list of an existing aggregated cluster role.
metadata.name-
Specifies the name of the
admincluster role. aggregationRule.clusterRoleSelectors-
Specifies the predefined list of labels indicates that the existing
<argocd_name>-<argocd_namespace>-argocd-application-controller-admincluster role can inherit permissions from the other user-defined cluster roles. rules- Specifies that no permissions are defined yet in one or more user-defined cluster roles.
TipAlternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User Management
Roles, use the Filter option, select Cluster-wide Roles, and search for the aggregated cluster role, view, andadmincluster roles. You must open the cluster role to check the details and configurations.As a cluster administrator, you can now create one or more user-defined cluster roles and configure user-defined permissions for Argo CD Application Controller.
3.5. Creating user-defined cluster roles and configuring user-defined permissions for Application Controller
As a cluster administrator, to add user-defined permissions to your aggregated cluster role, you must create one or more user-defined cluster roles and then configure the user-defined permissions for the Argo CD Application Controller component of a cluster-scoped Argo CD instance.
Prerequisites
- You have enabled the creation of aggregated cluster roles for the Argo CD Application Controller component of a cluster-scoped Argo CD instance.
You have the following default cluster roles that are created and managed by the Red Hat OpenShift GitOps Operator:
-
<argocd_name>-<argocd_namespace>-argocd-application-controlleraggregated cluster role with a predefinedaggregationRulefield -
<argocd_name>-<argocd_namespace>-argocd-application-controller-viewwith predefinedviewpermissions -
<argocd_name>-<argocd_namespace>-argocd-application-controller-adminwith no predefined permissions
-
Procedure
Create a new cluster role with the required labels and permissions by using the following command:
$ oc apply -n <namespace> -f <cluster_role_name>.yamlwhere:
<namespace>- Specifies the name of your defined namespace.
<cluster_role_name>- Specifies the name of your defined cluster role YAML file.
Example user-defined cluster role YAML:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: user-application-controller labels: app.kubernetes.io/managed-by: spring-petclinic app.kubernetes.io/name: example app.kubernetes.io/part-of: argocd argocd/aggregate-to-admin: 'true' rules: - verbs: - '*' apiGroups: - '' resources: - namespaces - persistentvolumeclaims - persistentvolumes - configmaps - verbs: - '*' apiGroups: - compliance.openshift.io resources: - scansettingbindingswhere:
metadata.name- Specifies the name of the user-defined cluster role.
metadata.labels.argocd/aggregate-to-admin- Specifies that the cluster role is aggregated into the Argo CD application controller admin cluster role, allowing the permissions defined in this role to be included automatically.
rules- Specifies the list of permissions granted by the cluster role, including allowed API groups, resources, and verbs.
TipAlternatively, you can use the web console to create a user-defined cluster role from the Administrator perspective. You can go to User Management
Roles Create Role, use the preceding YAML template to add permissions, and click Create. Example output:
clusterrole.rbac.authorization.k8s.io/user-application-controller createdA user-defined cluster role is created.
Verify that the
<argocd_name>-<argocd_namespace>-argocd-application-controller-admincluster role inherits permissions from the user-defined cluster role by running the following command:$ oc get ClusterRole/<argocd_name>-<argocd_namespace>-argocd-application-controller-admin -o yamlwhere:
<argocd_name>- Specifies the name of your user-defined cluster-scoped Argo CD instance.
<argocd_namespace>- Specifies the namespace where Argo CD is installed.
Example output:
aggregationRule: clusterRoleSelectors: - matchLabels: app.kubernetes.io/managed-by: spring-petclinic argocd/aggregate-to-admin: "true" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: argocds.argoproj.io/name: example argocds.argoproj.io/namespace: spring-petclinic kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}} creationTimestamp: "2024-08-14T09:59:15Z" labels: app.kubernetes.io/managed-by: spring-petclinic app.kubernetes.io/name: example app.kubernetes.io/part-of: argocd argocd/aggregate-to-controller: "true" name: example-spring-petclinic-argocd-application-controller-admin resourceVersion: "79202" uid: e2d35b6f-0832-4993-8b24-915a725454f9 rules: - apiGroups: - "" resources: - namespaces - persistentvolumeclaims - persistentvolumes - configmaps verbs: - '*' - apiGroups: - compliance.openshift.io resources: - scansettingbindings verbs: - '*'TipAlternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User Management
Roles, use the Filter option, select Cluster-wide Roles, and search for the <argocd_name>-<argocd_namespace>-argocd-application-controller-admincluster role. You must open the cluster role to check the details and configurations.Verify that the
<argocd_name>-<argocd_namespace>-argocd-application-controlleraggregated cluster role inherits permissions from the<argocd_name>-<argocd_namespace>-argocd-application-controller-adminand<argocd_name>-<argocd_namespace>-argocd-application-controller-viewcluster roles by running the following command:$ oc get ClusterRole/<argocd_name>-<argocd_namespace>-argocd-application-controller -o yamlwhere:
<argocd_name>- Specifies the name of your user-defined cluster-scoped Argo CD instance.
<argocd_namespace>- Specifies the namespace where Argo CD is installed.
Example output of the aggregated cluster role:
aggregationRule: clusterRoleSelectors: - matchLabels: app.kubernetes.io/managed-by: spring-petclinic argocd/aggregate-to-controller: "true" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: argocds.argoproj.io/name: example argocds.argoproj.io/namespace: spring-petclinic kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}} rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2024-08-14T08:20:58Z" labels: app.kubernetes.io/managed-by: spring-petclinic app.kubernetes.io/name: example app.kubernetes.io/part-of: argocd name: example-spring-petclinic-argocd-application-controller resourceVersion: "79203" uid: aeeb2ef5-b531-4fe3-a61a-b5ad8dd8ca6e rules: - apiGroups: - "" resources: - namespaces - persistentvolumeclaims - persistentvolumes - configmaps verbs: - '*' - apiGroups: - compliance.openshift.io resources: - scansettingbindings verbs: - '*' - apiGroups: - '*' resources: - '*' verbs: - get - list - watch - nonResourceURLs: - '*' verbs: - get - listTipAlternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User Management
Roles, use the Filter option, select Cluster-wide Roles, and search for the aggregated cluster role. You must open the cluster role to check the details and configurations.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}