This topic describes how to configure multi-tenant permissions for Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps and how to verify the permissions.
Table of contents
Permission model
Use scenarios
User | Role | Resource scope | Permission |
admin | Super administrator | All resources |
|
team01-admin | Project administrator | Project team01 | Query, create, modify, and delete project-level resources, such as repositories. |
team02-admin | Project administrator | Project team02 | Query, create, modify, and delete project-level resources, such as repositories. |
team01-user01 | Application administrator | team01/production-app | Query, create, modify, and delete applications in team01/production-app. |
team01-user02 | Application administrator | team01/staging-app | Query, create, modify, and delete applications in team01/staging-app. |
Configure multi-tenant permissions for ACK One GitOps
Run the following command to modify the
argocd-cm
ConfigMap:kubectl edit cm argocd-cm -n argocd
Add the following local users to the
argocd-cm
ConfigMap:data: accounts.team01-admin: login accounts.team01-admin.enabled: "true" accounts.team01-user01: login accounts.team01-user01.enabled: "true" accounts.team01-user02: login accounts.team01-user02.enabled: "true" accounts.team02-admin: login accounts.team02-admin.enabled: "true"
Run the following command to modify the
argocd-rbac-cm
ConfigMap:kubectl edit cm argocd-rbac-cm -n argocd
Configure the following role-based access control (RBAC) rules for the local users in the
argocd-rbac-cm
ConfigMap:Log on to ArgoCD with the admin account, view the local users, and set a password for each local user.
Run the following command to view local users:
export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward' argocd account list
Expected output:
NAME ENABLED CAPABILITIES admin true apiKey, login team01-admin true login team01-user01 true login team01-user02 true login team02-admin true login
Run the following command to set a password for a local user:
argocd account update-password --account <username> --current-password <current password> --new-password <new password>
Log on to ArgoCD with the admin account and run the following command to add global repositories:
argocd repo add https://code.aliyun.com/bigteam/echo-server01.git argocd repo add https://code.aliyun.com/bigteam/echo-server02.git argocd repo list TYPE NAME REPO INSECURE OCI LFS CREDS STATUS MESSAGE PROJECT git https://code.aliyun.com/bigteam/echo-server01.git false false false false Successful git https://code.aliyun.com/bigteam/echo-server02.git false false false false Successful
Log on to ArgoCD with the admin account and run the following commands to create and configure Project team01 and Project team02.
Category
Git Repository
Cluster
Resources that Project team01 is allowed to access
https://code.aliyun.com/bigteam/echo-server01.git
https://47.111.XX.XX:6443
Resources that Project team02 is allowed to access
https://code.aliyun.com/bigteam/echo-server02.git
https://47.97.XX.XX:6443
argocd proj create team01 argocd proj add-source team01 https://code.aliyun.com/bigteam/echo-server01.git argocd proj add-destination team01 https://47.111.XX.XX:6443 "*" argocd proj create team02 argocd proj add-source team02 https://code.aliyun.com/bigteam/echo-server02.git argocd proj add-destination team02 https://47.97.XX.XX:6443 "*"
Use the team01-admin and team02-admin accounts to create repositories in the projects.
team01-admin
Run the following command to log on with the team01-admin account:
argocd login Username: team01-admin Password: 'team01-admin:login' logged in successfully Context 'port-forward' updated
Run the following command to create a repository in Project team01:
argocd repo add https://code.aliyun.com/team01/echo-server.git --project team01
Expected output:
Repository 'https://code.aliyun.com/team01/echo-server.git' added
team02-admin
Run the following command to log on with the team02-admin account:
argocd login Username: team02-admin Password: 'team01-admin:login' logged in successfully Context 'port-forward' updated
Run the following command to create a repository in Project team02:
argocd repo add https://code.aliyun.com/team02/echo-server.git --project team02
Expected output:
Repository 'https://code.aliyun.com/team02/echo-server.git' added
Verify the permission model for ACK One GitOps
Verify the permissions of the project administrator on resources
Verify the permissions on projects
Run the following command to verify the permissions of team01-admin on projects:
argocd account can-i create projects "*"
no
argocd account can-i update projects "team01"
no
argocd account can-i delete projects "team01"
no
argocd account can-i get projects "team01"
yes
argocd account can-i get projects "team02"
no
The preceding output indicates that the project administrator can only view Project team01. The project administrator does not have other permissions.
Verify the permissions on repositories
Run the following command to verify the permissions of team01-admin on repositories:
argocd account can-i create repositories "*"
no
argocd account can-i update repositories "*"
no
argocd account can-i delete repositories "*"
no
argocd account can-i get repositories "*"
yes
argocd account can-i create repositories "team01/*"
yes
argocd account can-i update repositories "team01/*"
yes
argocd account can-i delete repositories "team01/*"
yes
argocd account can-i get repositories "team01/*"
yes
The preceding output indicates that the project administrator can view global repositories and query, create, modify, and delete repositories in Project team01.
Verify the permissions on clusters
Run the following command to verify the permissions of team01-admin on clusters:
argocd account can-i create clusters "*"
no
argocd account can-i update clusters "*"
no
argocd account can-i delete clusters "*"
no
argocd account can-i get clusters "*"
yes
argocd account can-i create clusters "team01/*"
no
argocd account can-i update clusters "team01/*"
no
argocd account can-i delete clusters "team01/*"
no
The preceding output indicates that the project administrator can only view global clusters. The project administrator does not have other permissions.
Verify the permissions on applications
Run the following command to verify the permissions of team01-admin on applications:
argocd account can-i create applications "*"
no
argocd account can-i update applications "*"
no
argocd account can-i delete applications "*"
no
argocd account can-i get applications "*"
no
argocd account can-i create applications "team01/*"
yes
argocd account can-i update applications "team01/*"
yes
argocd account can-i delete applications "team01/*"
yes
argocd account can-i get applications "team01/*"
yes
The preceding output indicates that the project administrator can only query, create, modify, and delete applications in Project team01. The project administrator does not have other permissions.
Verify the permissions to create clusters
Run the following command to view the permissions of team01-admin on Project team01:
Repositories that team01-admin can access:
Global
repository
:https://code.aliyun.com/bigteam/echo-server01.git
.Scoped repository
in Project team01:https://code.aliyun.com/team01/echo-server.git
.
Clusters that team01-admin can access:
https://47.111.XX.XX:6443
.
argocd proj get team01 Name: team01 Description: Destinations: https://47.111.XX.XX:6443,* Repositories: https://code.aliyun.com/bigteam/echo-server01.git Scoped Repositories: https://code.aliyun.com/team01/echo-server.git Allowed Cluster Resources: <none> Scoped Clusters: <none> Denied Namespaced Resources: <none> Signature keys: <none> Orphaned Resources: disabled
Run the following command to create an application outside Project team01:
argocd app create team01-admin-echo-server --repo https://code.aliyun.com/bigteam/echo-server01.git --dest-namespace team01-admin-echo-server --dest-server https://47.111.XX.XX:6443
Expected output:
FATA[0001] rpc error: code = PermissionDenied desc = permission denied: applications, create, default/team01-admin-echo-server, sub: team01-admin, iat: 2022-10-20T03:20:47Z
The preceding output indicates that the system failed to create an application outside Project team01.
Run the following command to create an application by using an unauthorized repository and cluster:
argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server02.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.97.XX.XX:6443
Expected output:
FATA[0002] rpc error: code = InvalidArgument desc = application spec for team01-admin-echo-server is invalid: InvalidSpecError: application repo https://code.aliyun.com/bigteam/echo-server02.git is not permitted in project 'team01';InvalidSpecError: application destination {https://xx.xx.xx.xx:6443 team01-admin-echo-server} is not permitted in project 'team01
The preceding output indicates that the system failed to create an application by using an unauthorized repository and cluster.
Run the following command to create an application in Project team01 by using an authorized repository and cluster:
argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server01.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.111.XX.XX:6443 application 'team01-admin-echo-server' created
Expected output:
application 'team01-admin-echo-server' created
The preceding output indicates that the system has created an application in Project team01.