RBAC¶
RBAC controls what type of access a user has inside ArgoCD.
- Users can be local or SSO users
- There is a default builtin local user:
admin - RBAC configuration can be done globally via the
argocd-rbac-cmConfigMap or at AppProject level
Default Builtin Roles¶
There are 2 default builtin roles (see builtin-policy.csv):
role:readonly— read-only access to all resourcesrole:admin— unrestricted access to all resources
Default Policy for Authenticated Users¶
The policy.default key in argocd-rbac-cm defines the role granted to every authenticated user.
All authenticated users get at least the permissions granted by the default policy.
This access cannot be blocked by a deny rule.
The recommended approach is to set policy.default: '' (empty), so no permissions are granted
by default. All access must then be explicitly assigned via roles or group bindings.
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: ''
Policy Syntax¶
The syntax in general is (effect is allow or deny)
p, <role/user/group>, <resource>, <action>, <object>, <effect>
Application-Specific Resources¶
If the resource is applications, applicationsets, logs or exec, the syntax is different
p, <role/user/group>, <resource>, <action>, <appproject>/<object>, <effect>
| Resource | get | create | update | delete | sync | override | action/... |
|---|---|---|---|---|---|---|---|
applications |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
applicationsets |
✓ | ✓ | ✓ | ✓ | |||
logs |
✓ | ||||||
exec |
✓ |
applications¶
The appproject is the ArgoCD project name. Also requires get on the project to view.
override + sync allow synchronizing local manifests to the Application.
p, role:dev, applications, get, my-project/*, allow
p, role:dev, applications, sync, my-project/my-app, allow
applicationsets¶
The appproject field represents the projects where the ApplicationSet can create Applications.
p, role:dev, applicationsets, create, my-project/*, allow
logs¶
Also requires get on the application to see Pod logs in the UI.
p, role:dev, logs, get, my-project/my-app, allow
exec¶
Allows exec into Pods via the ArgoCD UI.
p, role:dev, exec, create, my-project/my-app, allow
Other Resources¶
p, <role/user/group>, <resource>, <action>, <object>, <effect>
| Resource | get | create | update | delete |
|---|---|---|---|---|
clusters |
✓ | ✓ | ✓ | ✓ |
projects |
✓ | ✓ | ✓ | ✓ |
repositories |
✓ | ✓ | ✓ | ✓ |
certificates |
✓ | ✓ | ✓ | ✓ |
accounts |
✓ | ✓ | ✓ | ✓ |
gpgkeys |
✓ | ✓ | ✓ | ✓ |
extensions |
✓ | ✓ | ✓ | ✓ |
p, role:dev, repositories, get, *, allow
p, role:dev, clusters, get, *, allow
Role and Group Bindings¶
g, <user/group>, <role>
g, my-org:team-beta, role:admin
g, user@example.org, role:admin
g, role:admin, role:readonly
The subject format depends on the authentication backend:
- Local user:
username - GitHub org team:
your-github-org:your-team - SSO group/ID: depends on the identity provider
At AppProject Level¶
Policies can also be defined inside the AppProject resource using spec.roles.
The format uses proj:PROJECT:ROLE as the entity:
p, proj:my-project:my-role, applications, *, my-project/*, allow