The RBAC feature enables restriction of access to Argo CD resources. Argo CD does not have its own
user management system and has only one built-in user admin
. The admin
user is a superuser and
it has unrestricted access to the system. RBAC requires SSO configuration. Once SSO is
configured, additional RBAC roles can be defined, and SSO groups can man be mapped to roles.
RBAC configuration allows defining roles and groups. Argo CD has two pre-defined roles:
role:readonly
- read-only access to all resourcesrole:admin
- unrestricted access to all resources These role definitions can be seen in builtin-policy.csv
Additional roles and groups can be configured in argocd-rbac-cm
ConfigMap. The example below
configures a custom role, named org-admin
. The role is assigned to any user which belongs to
your-github-org:your-team
group. All other users get the default policy of role:readonly
,
which cannot modify Argo CD settings.
ConfigMap argocd-rbac-cm
example:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
policy.default: role:readonly
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, your-github-org:your-team, role:org-admin