IT/cicd
argocd rbac
주니-
2024. 2. 5. 11:38
목적
argocd 접속 시 github와 연동하여 인증된 사용자만 접속하게 하기 위함
1. 설치
#https://argo-cd.readthedocs.io/en/stable/
#https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
#install
$ kubectl create namespace argocd
$ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
#kubectl info
$ kubectl get all -n argocd
#argo cd cli install
#https://argo-cd.readthedocs.io/en/stable/cli_installation/
$ curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
$ sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
$ rm argocd-linux-amd64
#Type : "ClusterIP", "ExternalName", "LoadBalancer", "NodePort"
$ kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
# argo cd password (admin)
$ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
P868pttdD5Ms-ZUb
username : admin
password : xTAeegVy4tseYN5Z
$ kubectl get svc argocd-server -n argocd
#argocd login
$ argocd login devtest.test.kr
Username: admin
Password:
'admin:login' logged in successfully
Context 'devtest.test.kr' updated
#change password (cli)
$ argocd account update-password
*** Enter password of currently logged in user (admin):
*** Enter new password for user admin:
*** Confirm new password for user admin:
Password updated
Context 'devtest.test.kr' updated
#sample apply
$ argocd app create sample-app \
--repo https://github.com/argoproj/argocd-example-apps.git \
--path guestbook \
--dest-server https://kubernetes.default.svc \
--dest-namespace default
$ argocd app get sample-app
$ argocd app sync sample-app
2. rbac 적용
2-1. argocd-rbac-cm
#https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
$ kubectl edit configmaps -n argo argocd-rbac-cm
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
#####
data:
policy.default: role:readonly
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
p, role:org-admin, projects, get, *, allow
p, role:org-admin, projects, create, *, allow
p, role:org-admin, projects, update, *, allow
p, role:org-admin, projects, delete, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
#g, your-github-org:your-team, role:org-admin
g, testorg:dev, role:org-admin
#####2-2. argocd-cm
$ kubectl edit configmaps -n argo argocd-cm
---
apiVersion: v1
##### 추가
data:
accounts.alice: apiKey, login
accoutns.alice.enabled: "false"
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
clientID: ...5c2
clientSecret: ...4fe
redirectURI: http://devtest.test.kr:5556/dex/callback
orgs:
- name: testorg
teams:
- infra
url: http://devtest.test.kr
#####
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argo"}}
creationTimestamp: "2024-01-21T14:30:10Z"
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: argo
resourceVersion: "142137"
uid: c20d9548-cf27-49f5-bb5e-e1806fbbb351
3. github org 설정
