Establish a pattern for multitenency

[basanthjenuhb]

Summary

• A K8s cluster is divided into namespaces and typically, each namespace is owned by a different team
• Currently, argo workflow configurations like SSO, archival configs etc are applied to the whole cluster
• This change would provide a way for namespace owners to specify configurations which apply just for workflows in their namespace and reduce dependency on the cluster owners for the change

Use Cases

• namespace owners will be able to specify SSO configs per namespace and control it themselves rather than reaching out to cluster owners
• Same applies for archival configs, max workflows in a namespace, max TTL etc

---

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

[alexec]

To do this, install an Argo Server in each namespace.

[basanthjenuhb]

@alexec Yes, installing argo in each namespace is definitely a way to achieve it.
Only thing is, it might not be cost effective and operation heavy for individual teams.

I have been thinking about an approach for "SSO multitenancy"
Would request your feedback on this: #6990

[alexec]

@basanthjenuhb I'm hoping we'll implement Casbin based RBAC #6490 , which is much more flexible that the current RBAC we have. That would allow you to specify rules that are use namespace. Do you think that might fix your issue?

Take a look at the PoC too: #6646

[basanthjenuhb]

@alexec Agree with the comments in #6490
I just feel the same can be achieved with the current RBAC implementation, which I have tried to highlight in my PR #6990.
Personally, I would still like to stick to Kubernetes RBAC, as it is familiar and easy to keep secure instead of casbin.

I am essentially looking for an impersonation approach. And namespace owners to have self serve capability for fine grained control

[alexec]

Ok. Can you explain how you approach works? I did not really understand.

[basanthjenuhb]

@alexec Sure
Say argo-workflows is installed in a namespace called argo and the user is the owner of the namespace called user-namespace

• To login via SSO, there is a serviceaccount with an rbac rule and precedence which allows people to login.
• This serviceaccount also has a label called namespace-delegation, which lets the system know that it can look for service accounts in the individual namespace for which request has been made
• Now, say the user makes a ListWokflowsRequest in user-namespace, the system would again go ahead and see all service accounts in the user-namespace
• Based on the claims of the user, it will find a match which will again best suit based on rule and precedence
• Now, this service account will be used to execute ListWokflowsRequest
• Since, this ServiceAccount, Role and RoleBinding exists in the user-namespace, the user can control the rbac-rule on his own will whatever granularity required
• And also, the same user can be easily granted different types of permissions for different namespaces on a self serve basis

[basanthjenuhb]

@alexec
#6990 merged
Will raise a new PR to update documentation about the feature at https://github.com/argoproj/argo-workflows/blob/master/docs/argo-server-sso.md

[basanthjenuhb]

@alexec PR for documentation: #7138