Control ACK One GitOps Access with Argo CD RBAC Permissions - Container Service for Kubernetes

ACK One GitOps supports multi-user collaboration. As an administrator, you can create users, assign Argo CD Role-Based Access Control (RBAC) permissions, and manage application-level access through Argo CD projects.

User types

ACK One GitOps supports two user types:

User type	Description	Best for
Local user	Created directly in Argo CD. Supports UI login and API key generation for automation.	Small teams or automated CI/CD pipelines that don't need SSO, login history, or group-based access
RAM user or RAM role	Alibaba Cloud identity. ACK One GitOps supports single sign-on (SSO) by default, so RAM users can log in to the Argo CD UI or Argo CD CLI without entering a separate username and password.	Teams already using RAM for identity management, or when you need group-based access, login history, or fine-grained permission control

Create a local user

Prerequisites

Before you begin, make sure you have:

The kubeconfig file of the Fleet instance, with kubectl connected to the Fleet instance. Get it from the ACK One console.
GitOps enabled for your ACK One Fleet instance. See Enable GitOps for the Fleet instance.
The Argo CD administrator password to log in to the Argo CD CLI. See Access Argo CD using the Argo CD CLI.

Add a local user

Edit the argocd-cm ConfigMap.
```
kubectl edit cm argocd-cm -n argocd
```
Add the local user under the data field. The following example adds a user named localuser1.
```
data:
  accounts.localuser1: login,apiKey    # Grants UI login and API key generation
  accounts.localuser1.enabled: "true"  # Enables the user
```
Each account supports two capabilities:
- login — allows the user to log in to the Argo CD UI and the Argo CD CLI
- apiKey — allows the user to generate authentication tokens for API access

Verify that the user was created.

argocd account list

Expected output:

NAME        ENABLED  CAPABILITIES
admin       true     login
localuser1  true     login,apiKey

Set a password and generate a token for the user.

# Set a password
argocd account update-password \
  --account localuser1 \
  --current-password <admin-password> \
  --new-password <localuser1-password>

# Generate an API key token
argocd account generate-token --account localuser1
eyJhb......

Configure Argo CD RBAC permissions

Argo CD RBAC lets you control which users and groups can access specific resources. The configuration is stored in the argocd-rbac-cm ConfigMap and follows a policy-based syntax.

Predefined roles

Argo CD includes two built-in roles:

Role	Permissions
`role:readonly`	Read-only (`get`) access to all Argo CD resources
`role:admin`	Full access to all Argo CD resources

Custom roles with fine-grained permissions are also supported.

Policy syntax

All policies are defined in the .data.policy.csv field of argocd-rbac-cm.

Assign a permission (`p` rule):

p, <role/user/group>, <resource>, <action>, <object>

For resources within a project:

p, <role/user/group>, <resource>, <action>, <appproject>/<object>

Where:

<role/user/group> — the entity receiving the permission (a role name, local username, or SSO group/UID)
<resource> — the Argo CD resource type
<action> — the operation to allow
<object> — the specific resource instance, or * for all

Map a user or group to a role (`g` rule):

g, <user/group>, <role>

Supported resources and actions

Argo CD supports the following resources: clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, and extensions.

The following actions are supported: get, create, update, delete, sync, override, and action/<api-group>/<Kind>/<action-name>.

sync, override, and action/<api-group>/<Kind>/<action-name> are valid only for the applications resource.

Grant permissions to a local user

Edit the argocd-rbac-cm ConfigMap.

kubectl edit cm argocd-rbac-cm -n argocd

Add a g rule to map the local user to a role. The following example maps localuser1 to the built-in role:admin.

Map localuser1 to role:admin for full access to all Argo CD resources.
Map localuser1 to the custom role project-admin (commented out) for access limited to specific projects and applications.

Important

Do not modify other existing configurations in the ConfigMap.

data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow

      g, "14***01", role:admin          # Keep the current setting.
      g, localuser1, role:admin         # Map localuser1 to role:admin.
##    g, localuser1, role:project-admin # Alternative: map to a custom role.
    scopes: '[uid]'                     # Keep the current setting.

This example supports two scenarios:

Grant permissions to RAM users or RAM roles

By default, RAM users who are Fleet instance administrators automatically receive Argo CD admin permissions through SSO. Regular RAM users require explicit permission grants.

For a regular RAM user, grant both:

Argo CD RBAC permissions in argocd-rbac-cm
Application-level permissions through Argo CD projects

Grant Argo CD RBAC permissions

Edit the argocd-rbac-cm ConfigMap.

kubectl edit cm argocd-rbac-cm -n argocd

Add a g rule to map the RAM user UID to a role. The following example grants RAM user 27***02 the role:admin permission.

data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow

      g, "14***01", role:admin          # Keep the current setting.
      g, "27***02", role:admin          # Grant role:admin to RAM user 27***02.
##    g, "27***02", role:project-admin  # Alternative: map to a custom role.
    scopes: '[uid]'                     # Keep the current setting.

Grant Argo CD application permissions

Each Argo CD application belongs to a project. Use Argo CD projects to assign different application permissions to different RAM users or RAM roles.

Argo CD projects support the following access controls:

Git repository limit — controls which Git repositories can be used to deploy applications
Cluster and namespace limit — defines the clusters and namespaces where applications can be deployed
Object type limit — restricts the Kubernetes resource types that can be deployed (for example, RBAC, Custom Resource Definitions (CRDs), DaemonSets, and NetworkPolicies)
Application-level RBAC — grants per-application permissions to specific RAM users or RAM roles by binding project roles to OpenID Connect (OIDC) groups and JSON Web Tokens (JWTs)

To grant application permissions to a RAM user:

Log in to the RAM console using your Alibaba Cloud account or an administrator account. In the left navigation pane, click Users or Roles. On the details page of the target user or role, copy the UID or Role ID.
Log in to the ACK One console. In the left navigation pane, choose Fleet > Multi-cluster GitOps, then click GitOps Console to open the Argo CD UI.
In the left navigation pane of the Argo CD console, go to Settings > Projects. Click + NEW PROJECT to create a project, or open an existing project.
Click + ADD ROLE, fill in the following fields, and click CREATE.
- GENERAL — configure the basic role information
- POLICY RULES — configure the application permissions
- GROUPS — enter the UID or Role ID copied in step 1, then click ADD GROUP

The following example shows a role named roletest that grants RAM user 27***02 read-only (get) access to all applications in the test project. After the role is created, the RAM user can click LOG IN VIA ALIYUN SSO in the ACK One console to log in to the Argo CD UI and verify that the permissions are in effect.