How to create and grant permissions to ACK One GitOps users - Container Service for Kubernetes

This topic describes the types of users that are supported by Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps and how to grant permissions to users.

User types

ACK One GitOps supports multi-user collaboration. The administrator can create users, delete users, and grant Argo CD Role-Based Access Control (RBAC) permissions and Argo CD application permissions to users. ACK One GitOps supports the following types of users:

Local User
Local users. The administrator can create local users and generate authentication tokens that are automatically used by the system to call the Argo CD API to create Argo CD applications and projects. If your team has a limited number of members, you can create local users. For more information about how to grant permissions to local users, see Grant permissions to a local user.
RAM users or RAM roles within an Alibaba Cloud account
RAM users or RAM roles. We recommend that you use RAM users to log on to the Argo CD UI or Argo CD CLI. By default, ACK One GitOps supports single sign-on (SSO) when you use RAM users or RAM roles to log on to the Argo CD UI or Argo CD CLI. For more information about how to grant permissions to RAM users, see Grant permissions to RAM users or RAM roles in an Alibaba Cloud account.

Create a local user

Prerequisites

The kubeconfig file of the Fleet instance is obtained in the Distributed Cloud Container Platform for Kubernetes (ACK One) console and a kubectl client is connected to the Fleet instance.
GitOps is enabled for your ACK One Fleet instance. For more information, see Enable GitOps for the Fleet instance.
The password of the Argo CD administrator is obtained and used to log on to the Argo CD CLI. For more information, see Access Argo CD using the Argo CD CLI.

Procedure

Use the administrator account to create a local user on the Fleet instance. To create a local user, perform the following steps:

Run the following command to edit the argocd-cm ConfigMap of Argo CD.
```
kubectl edit cm argocd-cm -n argocd
```

In the argocd-cm ConfigMap, add a local user named localuser1 as shown in the following code.

data:
  accounts.localuser1: login,apiKey    # Allow the local user to log on to the Argo CD UI and the Argo CD CLI, and generate an apiKey token. 
  accounts.localuser1.enabled: "true"  # Create local user localuser1.

Run the following command to query the local user:

argocd account list

Expected output:

NAME        ENABLED  CAPABILITIES
admin       true     login
localuser1  true     login,apiKey   # The local user localuser1.

Run the following command to set a password and generate a token:

# Set a password. 
argocd account update-password \
  --account localuser1 \
  --current-password <admin password> \
  --new-password <localuser1-password>

# Generate a token for localuser1. 
argocd account generate-token --account localuser1
eyJhb......

Configure Argo CD RBAC permissions

Argo CD lets you configure Role-Based Access Control (RBAC) to limit SSO groups or local users from accessing Argo CD resources. To do this, define an RBAC role and map an SSO group or local user to the role.

Role introduction

To grant permissions to an SSO group or local user, you must first create a role and map the SSO group or local user to the role.

You can create custom roles or use the following predefined roles in Argo CD:

role:readonly: This role grants read-only (get) permissions for all Argo CD resources.
role:admin: This role grants full permissions for all Argo CD resources.

To grant permissions to a role, you need to configure the .data.policy.csv field in the argocd-rbac-cm ConfigMap in the following format:

For resources not in a project: p, <role/user/group>, <resource>, <action>, <object>
For resources within a project: p, <role/user/group>, <resource>, <action>, <appproject>/<object>

Argo CD supports the following resources: clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, and extensions.

The following actions are supported: get, create, update, delete, sync, override, and action/<api-group>/<Kind>/<action-name>.

The sync, override, and action/<api-group>/<Kind>/<action-name> operations are valid only for the applications resource.

Grant permissions to a local user

Run the following command to edit the argocd-rbac-cm ConfigMap of Argo CD.
```
kubectl edit cm argocd-rbac-cm -n argocd
```
In the argocd-rbac-cm ConfigMap, grant permissions to the local user based on your requirements. The following sample code provides an example.
Important
Do not modify other configurations in the ConfigMap.
```
data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow
    
    g, "14***01", role:admin          # Keep the current setting. 
    g, localuser1, role:admin         # Map localuser1 to role admin. 
##  g, localuser1, role:project-admin # Map localuser1 to role project-admin. 
  scopes: '[uid]'                     # Keep the current setting.
```
The sample ConfigMap lets you grant permissions in the following scenarios:
- Map localuser1 to the predefined role admin. This way, localuser1 has full permissions on all Argo CD resources.
- Map localuser1 to the custom role project-admin. This way, project-admin has full permissions on projects and applications. This setting is annotated in the sample ConfigMap.

Grant permissions to RAM users or RAM roles within an Alibaba Cloud account

By default, ACK One GitOps supports SSO when you use RAM users to log on to the Argo CD UI or Argo CD CLI. After you use a RAM user to log on to the ACK One console, you can log on to the Argo CD UI or Argo CD CLI using SSO without the need to enter the username and password again.

If the RAM user is the administrator of the ACK One Fleet instance, ACK One GitOps automatically grants the RAM user administrator permissions on the Argo CD UI or Argo CD CLI.
If the RAM user is a regular user, the administrator of the Fleet instance must grant permissions to the RAM user. The following permissions are included:
- Grant Argo CD RBAC permissions to the RAM user or RAM role in argocd-rbac-cm.
- Manage the permissions of the RAM user or RAM role on clusters, repositories, and applications using Argo CD projects.

Grant the Argo CD RBAC permissions to RAM users or RAM roles

The administrator of the ACK One Fleet instance can perform the following steps to configure permissions:

Use the fleet kubeconfig to run the following command to edit the argocd-rbac-cm ConfigMap of Argo CD.
```
kubectl edit cm argocd-rbac-cm -n argocd
```

In argocd-rbac-cm, grant permissions to the RAM user. The following example shows how to grant the argocd admin permission to RAM user "27***02". The commented-out section shows how to grant the project-admin permission to RAM user "27***02".

data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow
    
    g, "14***01", role:admin          # Keep the current setting. 
    g, "27***02", role:admin          # Set the role of RAM User "27***02" to admin. 
##  g, "27***02", role:project-admin  # Map RAM User "27***02" to the project-admin role. 
  scopes: '[uid]'                     # Keep the current setting.

Grant the Argo CD application permissions to RAM users or RAM roles

Each Argo CD application belongs to a project. Argo CD projects can be used to grant different application permissions to different RAM users or RAM roles.

When multiple teams use Argo CD, you can add applications to different Argo CD projects. Argo CD projects also provide the following features:

Git repository limit: controls which Git repositories can be used to deploy applications.
Cluster and namespaces limit: defines the clusters and namespaces where applications can be deployed and ensures that the deployment complies with the resource allocation and security policies of the team.
Object type limit: limits the types of Kubernetes resources that can be deployed, such as RBAC, CRDs, DaemonSets, and NetworkPolicies, to avoid using unnecessary or high-risk resources.
Application-level RBAC: grants different application permissions to different RAM users or RAM roles and bind them to OIDC groups and JWT tokens by defining project roles. This lets you manage permissions in a fine-grained manner.

The ACK One administrator can perform the following operations to grant Argo CD application permissions to RAM users or RAM roles:

Log on to the RAM console using your Alibaba Cloud account or an administrator account. In the navigation pane on the left, click Users or Roles. On the details page of the user or role that you want to manage, copy the UID or Role ID.
Log on to the ACK One console. In the navigation pane on the left, choose Fleet > Multi-cluster GitOps. Click GitOps Console to log on to the Argo CD UI.
In the navigation pane on the left of the Argo CD console, click Settings > Projects. Click + NEW PROJECT to create a project, or select and go to the details page of an existing project. The permission configuration for the previously described repositories, clusters, and cluster resources is omitted.
Click + ADD ROLE, specify the following information, and then click CREATE to create a project role.
- GENERAL: Configure the basic information for the role.
- POLICY RULES: Configure the application permissions.
- GROUPS: In the text box, enter the UID or Role ID that you copied in Step 1, and then click ADD GROUP.

In the following example, a role named roletest is created. This role grants RAM user 27***02 the get (read-only) permission for all applications in the test project. The authorized RAM user 27***02 can then go to the ACK One console and click LOG IN VIA ALIYUN SSO to log on to the Argo CD UI to verify that the permissions work as expected.