All Products
Search

This Product

    Container Service for Kubernetes:Configure multi-tenant permissions for ACK One GitOps

    Document Center

    Container Service for Kubernetes:Configure multi-tenant permissions for ACK One GitOps

    Last Updated:Mar 26, 2026

    This topic describes how to set up role-based access control (RBAC) for Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps and verify that permission boundaries are enforced across teams.

    Permission model

    The following diagram shows the permission model used in this topic.

    Security model

    Use cases

    The examples in this topic use the following users and roles:

    UserRoleResource scopePermission
    adminSuper administratorAll resourcesCreate and configure local users; create and configure projects; grant permissions to local users; query, create, modify, and delete global resources such as repositories
    team01-adminProject administratorProject team01Query, create, modify, and delete project-level resources such as repositories
    team02-adminProject administratorProject team02Query, create, modify, and delete project-level resources such as repositories
    team01-user01Application administratorteam01/production-appQuery, create, modify, and delete applications in team01/production-app
    team01-user02Application administratorteam01/staging-appQuery, create, modify, and delete applications in team01/staging-app

    Prerequisites

    Before you begin, ensure that you have:

    • An ACK One GitOps instance with ArgoCD running in the argocd namespace

    • kubectl access to the cluster with permissions to edit ConfigMaps in the argocd namespace

    • The ArgoCD CLI (argocd) installed and configured

    Configure multi-tenant permissions for ACK One GitOps

    Step 1: Add local users to argocd-cm

    Edit the argocd-cm ConfigMap to define local user accounts:

    kubectl edit cm argocd-cm -n argocd

    Add the following entries under data:

    data:
  accounts.team01-admin: login
  accounts.team01-admin.enabled: "true"
  accounts.team01-user01: login
  accounts.team01-user01.enabled: "true"
  accounts.team01-user02: login
  accounts.team01-user02.enabled: "true"
  accounts.team02-admin: login
  accounts.team02-admin.enabled: "true"

    Step 2: Configure RBAC rules in argocd-rbac-cm

    Edit the argocd-rbac-cm ConfigMap to define access policies:

    kubectl edit cm argocd-rbac-cm -n argocd

    Add the following policy.csv rules to the argocd-rbac-cm ConfigMap. Policy entries (p) define permissions for roles; group entries (g) bind users to roles.

    data:
  policy.csv: |
    ...
    p, role:team01-admin, projects, get, team01, allow
    p, role:team01-admin, repositories, *, team01/*, allow
    p, role:team01-admin, applications, *, team01/*, allow
    p, role:team01-admin, repositories, get, *, allow
    p, role:team01-admin, clusters, get, *, allow
    p, role:team02-admin, projects, get, team02, allow
    p, role:team02-admin, repositories, *, team02/*, allow
    p, role:team02-admin, applications, *, team02/*, allow
    p, role:team02-admin, repositories, get, *, allow
    p, role:team02-admin, clusters, get, *, allow
    p, role:team01-user01, projects, get, team01, allow
    p, role:team01-user01, repositories, get, team01/*, allow
    p, role:team01-user01, repositories, get, *, allow
    p, role:team01-user01, clusters, get, *, allow
    p, role:team01-user01, applications, *, team01/production-app, allow
    p, role:team01-user02, projects, get, team01, allow
    p, role:team01-user02, repositories, get, team01/*, allow
    p, role:team01-user02, repositories, get, *, allow
    p, role:team01-user02, clusters, get, *, allow
    p, role:team01-user02, applications, *, team01/staging-app, allow
    ...
    g, team01-admin, role:team01-admin
    g, team02-admin, role:team02-admin
    g, team01-user01, role:team01-user01
    g, team01-user02, role:team01-user02

    Step 3: View local users and set passwords

    Log in as the admin account to view all local users and assign passwords.

    1. Set the ArgoCD CLI options to use port-forward, then list all accounts:

      export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward'
argocd account list

      Expected output:

      NAME           ENABLED  CAPABILITIES
admin          true     apiKey, login
team01-admin   true     login
team01-user01  true     login
team01-user02  true     login
team02-admin   true     login

    2. Set a password for each local user:

      argocd account update-password --account <username> --current-password <current-password> --new-password <new-password>

    Step 4: Add global repositories

    Log in as admin and add the global repositories that both projects will share:

    argocd repo add https://code.aliyun.com/bigteam/echo-server01.git
argocd repo add https://code.aliyun.com/bigteam/echo-server02.git
argocd repo list

    Expected output:

    TYPE  NAME  REPO                                               INSECURE  OCI    LFS    CREDS  STATUS      MESSAGE  PROJECT
git         https://code.aliyun.com/bigteam/echo-server01.git  false     false  false  false  Successful
git         https://code.aliyun.com/bigteam/echo-server02.git  false     false  false  false  Successful

    Step 5: Create and configure projects

    Log in as admin and create Project team01 and Project team02. Each project is bound to a specific repository and cluster:

    ProjectGit repositoryCluster
    team01https://code.aliyun.com/bigteam/echo-server01.githttps://47.111.XX.XX:6443
    team02https://code.aliyun.com/bigteam/echo-server02.githttps://47.97.XX.XX:6443
    argocd proj create team01
argocd proj add-source team01 https://code.aliyun.com/bigteam/echo-server01.git
argocd proj add-destination team01 https://47.111.XX.XX:6443 "*"
argocd proj create team02
argocd proj add-source team02 https://code.aliyun.com/bigteam/echo-server02.git
argocd proj add-destination team02 https://47.97.XX.XX:6443 "*"

    Step 6: Create scoped repositories in projects

    Project administrators create repositories scoped to their own projects.

    team01-admin

    1. Log in as team01-admin:

      argocd login
Username: team01-admin
Password:
'team01-admin:login' logged in successfully
Context 'port-forward' updated

    2. Add a repository scoped to Project team01:

      argocd repo add https://code.aliyun.com/team01/echo-server.git --project team01

      Expected output:

      Repository 'https://code.aliyun.com/team01/echo-server.git' added

    team02-admin

    1. Log in as team02-admin:

      argocd login
Username: team02-admin
Password:
'team02-admin:login' logged in successfully
Context 'port-forward' updated

    2. Add a repository scoped to Project team02:

      argocd repo add https://code.aliyun.com/team02/echo-server.git --project team02

      Expected output:

      Repository 'https://code.aliyun.com/team02/echo-server.git' added

    Verify the permission model for ACK One GitOps

    All verification commands in this section run as team01-admin unless stated otherwise.

    Verify permissions on projects

    argocd account can-i create projects "*"
no
argocd account can-i update projects "team01"
no
argocd account can-i delete projects "team01"
no
argocd account can-i get projects "team01"
yes
argocd account can-i get projects "team02"
no

    The project administrator can only view Project team01. Create, update, and delete are not permitted.

    Verify permissions on repositories

    argocd account can-i create repositories "*"
no
argocd account can-i update repositories "*"
no
argocd account can-i delete repositories "*"
no
argocd account can-i get repositories "*"
yes
argocd account can-i create repositories "team01/*"
yes
argocd account can-i update repositories "team01/*"
yes
argocd account can-i delete repositories "team01/*"
yes
argocd account can-i get repositories "team01/*"
yes

    The project administrator can view global repositories and has full access to repositories in Project team01.

    Verify permissions on clusters

    argocd account can-i create clusters "*"
no
argocd account can-i update clusters "*"
no
argocd account can-i delete clusters "*"
no
argocd account can-i get clusters "*"
yes
argocd account can-i create clusters "team01/*"
no
argocd account can-i update clusters "team01/*"
no
argocd account can-i delete clusters "team01/*"
no

    The project administrator can only view global clusters. No other cluster permissions are granted.

    Verify permissions on applications

    argocd account can-i create applications "*"
no
argocd account can-i update applications "*"
no
argocd account can-i delete applications "*"
no
argocd account can-i get applications "*"
no
argocd account can-i create applications "team01/*"
yes
argocd account can-i update applications "team01/*"
yes
argocd account can-i delete applications "team01/*"
yes
argocd account can-i get applications "team01/*"
yes

    The project administrator can only query, create, modify, and delete applications in Project team01.

    Verify project resource isolation

    Run the following command to view the resources accessible to team01-admin:

    argocd proj get team01

    Expected output:

    Name:                        team01
Description:
Destinations:                https://47.111.XX.XX:6443,*
Repositories:                https://code.aliyun.com/bigteam/echo-server01.git
Scoped Repositories:         https://code.aliyun.com/team01/echo-server.git
Allowed Cluster Resources:   <none>
Scoped Clusters:             <none>
Denied Namespaced Resources: <none>
Signature keys:              <none>
Orphaned Resources:          disabled

    team01-admin has access to:

    • Global repository: https://code.aliyun.com/bigteam/echo-server01.git

    • Scoped repository: https://code.aliyun.com/team01/echo-server.git

    • Cluster: https://47.111.XX.XX:6443

    Test 1: Create an application outside Project team01

    argocd app create team01-admin-echo-server --repo https://code.aliyun.com/bigteam/echo-server01.git --dest-namespace team01-admin-echo-server --dest-server https://47.111.XX.XX:6443

    Expected output:

    FATA[0001] rpc error: code = PermissionDenied desc = permission denied: applications, create, default/team01-admin-echo-server, sub: team01-admin, iat: 2022-10-20T03:20:47Z

    The request is denied because the application is not in Project team01.

    Test 2: Create an application using an unauthorized repository and cluster

    argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server02.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.97.XX.XX:6443

    Expected output:

    FATA[0002] rpc error: code = InvalidArgument desc = application spec for team01-admin-echo-server is invalid: InvalidSpecError: application repo https://code.aliyun.com/bigteam/echo-server02.git is not permitted in project 'team01';InvalidSpecError: application destination {https://xx.xx.xx.xx:6443 team01-admin-echo-server} is not permitted in project 'team01

    The request is denied because the repository and cluster are not permitted in Project team01.

    Test 3: Create an application using an authorized repository and cluster

    argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server01.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.111.XX.XX:6443

    Expected output:

    application 'team01-admin-echo-server' created

    The application is created successfully in Project team01.