All Products
Search

This Product

    Container Service for Kubernetes:Configure multi-tenant permissions for ACK One GitOps

    Document Center

    Container Service for Kubernetes:Configure multi-tenant permissions for ACK One GitOps

    Last Updated:Feb 02, 2024

    This topic describes how to configure multi-tenant permissions for Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps and how to verify the permissions.

    Table of contents

    Permission model

    Security model

    Use scenarios

    User

    Role

    Resource scope

    Permission

    admin

    Super administrator

    All resources

    • Create and configure local users.

    • Create and configure projects.

    • Grant permissions to local users.

    • Query, create, modify, and delete global resources, such as repositories.

    team01-admin

    Project administrator

    Project team01

    Query, create, modify, and delete project-level resources, such as repositories.

    team02-admin

    Project administrator

    Project team02

    Query, create, modify, and delete project-level resources, such as repositories.

    team01-user01

    Application administrator

    team01/production-app

    Query, create, modify, and delete applications in team01/production-app.

    team01-user02

    Application administrator

    team01/staging-app

    Query, create, modify, and delete applications in team01/staging-app.

    Configure multi-tenant permissions for ACK One GitOps

    1. Run the following command to modify the argocd-cm ConfigMap: 

      kubectl edit cm argocd-cm -n argocd

    2. Add the following local users to the argocd-cm ConfigMap: 

      data:
  accounts.team01-admin: login
  accounts.team01-admin.enabled: "true"
  accounts.team01-user01: login
  accounts.team01-user01.enabled: "true"
  accounts.team01-user02: login
  accounts.team01-user02.enabled: "true"
  accounts.team02-admin: login
  accounts.team02-admin.enabled: "true"

    3. Run the following command to modify the argocd-rbac-cm ConfigMap: 

      kubectl edit cm argocd-rbac-cm -n argocd

    4. Configure the following role-based access control (RBAC) rules for the local users in the argocd-rbac-cm ConfigMap:

      View RBAC rules

      data:
  policy.csv: |
    ...
    p, role:team01-admin, projects, get, team01, allow
    p, role:team01-admin, repositories, *, team01/*, allow
    p, role:team01-admin, applications, *, team01/*, allow
    p, role:team01-admin, repositories, get, *, allow
    p, role:team01-admin, clusters, get, *, allow
    p, role:team02-admin, projects, get, team02, allow
    p, role:team02-admin, repositories, *, team02/*, allow
    p, role:team02-admin, applications, *, team02/*, allow
    p, role:team02-admin, repositories, get, *, allow
    p, role:team02-admin, clusters, get, *, allow
    p, role:team01-user01, projects, get, team01, allow
    p, role:team01-user01, repositories, get, team01/*, allow
    p, role:team01-user01, repositories, get, *, allow
    p, role:team01-user01, clusters, get, *, allow
    p, role:team01-user01, applications, *, team01/production-app, allow
    p, role:team01-user02, projects, get, team01, allow
    p, role:team01-user02, repositories, get, team01/*, allow
    p, role:team01-user02, repositories, get, *, allow
    p, role:team01-user02, clusters, get, *, allow
    p, role:team01-user02, applications, *, team01/staging-app, allow
    ...
    g, team01-admin, role:team01-admin
    g, team02-admin, role:team02-admin
    g, team01-user01, role:team01-user01
    g, team01-user02, role:team01-user02

    5. Log on to ArgoCD with the admin account, view the local users, and set a password for each local user.

      1. Run the following command to view local users: 

        export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward'
argocd account list

        Expected output:

        NAME           ENABLED  CAPABILITIES
admin          true     apiKey, login
team01-admin   true     login
team01-user01  true     login
team01-user02  true     login
team02-admin   true     login

      2. Run the following command to set a password for a local user: 

        argocd account update-password --account <username> --current-password <current password> --new-password <new password>

    6. Log on to ArgoCD with the admin account and run the following command to add global repositories: 

      argocd repo add https://code.aliyun.com/bigteam/echo-server01.git
argocd repo add https://code.aliyun.com/bigteam/echo-server02.git
argocd repo list
TYPE  NAME  REPO                                               INSECURE  OCI    LFS    CREDS  STATUS      MESSAGE  PROJECT
git         https://code.aliyun.com/bigteam/echo-server01.git  false     false  false  false  Successful
git         https://code.aliyun.com/bigteam/echo-server02.git  false     false  false  false  Successful

    7. Log on to ArgoCD with the admin account and run the following commands to create and configure Project team01 and Project team02.

      Category

      Git Repository

      Cluster

      Resources that Project team01 is allowed to access

      https://code.aliyun.com/bigteam/echo-server01.git

      https://47.111.XX.XX:6443

      Resources that Project team02 is allowed to access

      https://code.aliyun.com/bigteam/echo-server02.git

      https://47.97.XX.XX:6443

      argocd proj create team01
argocd proj add-source team01 https://code.aliyun.com/bigteam/echo-server01.git
argocd proj add-destination team01 https://47.111.XX.XX:6443 "*"
argocd proj create team02
argocd proj add-source team02 https://code.aliyun.com/bigteam/echo-server02.git
argocd proj add-destination team02 https://47.97.XX.XX:6443 "*"

    8. Use the team01-admin and team02-admin accounts to create repositories in the projects.

      • team01-admin

        1. Run the following command to log on with the team01-admin account: 

          argocd login 
Username: team01-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated

        2. Run the following command to create a repository in Project team01: 

          argocd repo add https://code.aliyun.com/team01/echo-server.git --project team01

          Expected output:

          Repository 'https://code.aliyun.com/team01/echo-server.git' added

      • team02-admin

        1. Run the following command to log on with the team02-admin account: 

          argocd login 
Username: team02-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated

        2. Run the following command to create a repository in Project team02: 

          argocd repo add https://code.aliyun.com/team02/echo-server.git --project team02

          Expected output:

          Repository 'https://code.aliyun.com/team02/echo-server.git' added

    Verify the permission model for ACK One GitOps

    Verify the permissions of the project administrator on resources

    Verify the permissions on projects

    Run the following command to verify the permissions of team01-admin on projects: 

    argocd account can-i create projects "*"
no
argocd account can-i update projects "team01"
no
argocd account can-i delete projects "team01"
no
argocd account can-i get projects "team01"
yes
argocd account can-i get projects "team02"
no

    The preceding output indicates that the project administrator can only view Project team01. The project administrator does not have other permissions.

    Verify the permissions on repositories

    Run the following command to verify the permissions of team01-admin on repositories: 

    argocd account can-i create repositories "*"
no
argocd account can-i update repositories "*"
no
argocd account can-i delete repositories "*"
no
argocd account can-i get repositories "*"
yes
argocd account can-i create repositories "team01/*"
yes
argocd account can-i update repositories "team01/*"
yes
argocd account can-i delete repositories "team01/*"
yes
argocd account can-i get repositories "team01/*"
yes

    The preceding output indicates that the project administrator can view global repositories and query, create, modify, and delete repositories in Project team01.

    Verify the permissions on clusters

    Run the following command to verify the permissions of team01-admin on clusters: 

    argocd account can-i create clusters "*"
no
argocd account can-i update clusters "*"
no
argocd account can-i delete clusters "*"
no
argocd account can-i get clusters "*"
yes
argocd account can-i create clusters "team01/*"
no
argocd account can-i update clusters "team01/*"
no
argocd account can-i delete clusters "team01/*"
no

    The preceding output indicates that the project administrator can only view global clusters. The project administrator does not have other permissions.

    Verify the permissions on applications

    Run the following command to verify the permissions of team01-admin on applications: 

    argocd account can-i create applications "*"
no
argocd account can-i update applications "*"
no
argocd account can-i delete applications "*"
no
argocd account can-i get applications "*"
no
argocd account can-i create applications "team01/*"
yes
argocd account can-i update applications "team01/*"
yes
argocd account can-i delete applications "team01/*"
yes
argocd account can-i get applications "team01/*"
yes

    The preceding output indicates that the project administrator can only query, create, modify, and delete applications in Project team01. The project administrator does not have other permissions.

    Verify the permissions to create clusters

    • Run the following command to view the permissions of team01-admin on Project team01:

      • Repositories that team01-admin can access:

        • Global repository: https://code.aliyun.com/bigteam/echo-server01.git.

        • Scoped repository in Project team01: https://code.aliyun.com/team01/echo-server.git.

      • Clusters that team01-admin can access: https://47.111.XX.XX:6443. 

      argocd proj get team01
Name:                        team01
Description:
Destinations:                https://47.111.XX.XX:6443,*
Repositories:                https://code.aliyun.com/bigteam/echo-server01.git
Scoped Repositories:         https://code.aliyun.com/team01/echo-server.git
Allowed Cluster Resources:   <none>
Scoped Clusters:             <none>
Denied Namespaced Resources: <none>
Signature keys:              <none>
Orphaned Resources:          disabled

    • Run the following command to create an application outside Project team01: 

      argocd app create team01-admin-echo-server --repo https://code.aliyun.com/bigteam/echo-server01.git --dest-namespace team01-admin-echo-server --dest-server https://47.111.XX.XX:6443

      Expected output:

      FATA[0001] rpc error: code = PermissionDenied desc = permission denied: applications, create, default/team01-admin-echo-server, sub: team01-admin, iat: 2022-10-20T03:20:47Z

      The preceding output indicates that the system failed to create an application outside Project team01.

    • Run the following command to create an application by using an unauthorized repository and cluster: 

      argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server02.git --path  manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.97.XX.XX:6443

      Expected output:

      FATA[0002] rpc error: code = InvalidArgument desc = application spec for team01-admin-echo-server is invalid: InvalidSpecError: application repo https://code.aliyun.com/bigteam/echo-server02.git is not permitted in project 'team01';InvalidSpecError: application destination {https://xx.xx.xx.xx:6443 team01-admin-echo-server} is not permitted in project 'team01

      The preceding output indicates that the system failed to create an application by using an unauthorized repository and cluster.

    • Run the following command to create an application in Project team01 by using an authorized repository and cluster: 

      argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server01.git --path  manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.111.XX.XX:6443
application 'team01-admin-echo-server' created

      Expected output:

      application 'team01-admin-echo-server' created

      The preceding output indicates that the system has created an application in Project team01.