1.创建用户alice
kubectl apply -f argocd-cm.yaml
apiVersion: v1 kind: ConfigMap metadata:name: argocd-cmnamespace: argocdlabels:app.kubernetes.io/name: argocd-cmapp.kubernetes.io/part-of: argocd data:# add an additional local user with apiKey and login capabilities# apiKey - allows generating API keys# login - allows to login using UIaccounts.alice: apiKey, login# disables user. User is enabled by defaultaccounts.alice.enabled: "true"
查看用户:
[root@k8s ~]# argocd account list NAME ENABLED CAPABILITIES admin true login alice true apiKey, login
[root@k8s ~]# argocd account get --account alice
Name: alice
Enabled: true
Capabilities: apiKey, login
Tokens:
NONE
2.设置密码
argocd account update-password \ --account alice \ --current-password BI7tl958Klzm2gB4 \ #当前登陆的用户密码 --new-password Qwer@1234 #alice密码
登陆web,此时没有任何权限
3.RBAC赋予权限
如果限制用户只有某个project有权限, 对应的git仓库,cluster集群信息等也要新建对应project资源
argocd cluster add kubernetes-admin@kubernetes --project test2
apiVersion: v1 kind: ConfigMap metadata:name: argocd-rbac-cmnamespace: argocd data:policy.default: role:readonly ##可以读所有资源,如果不设置此选项,可见性根据具体role决定policy.csv: |p, role:org-admin, applications, *, */*, deny #app相关操作禁止
##p, role:org-admin, applications, *, test2/*, allow #只对test2 的project可以操作创建删除等动作
p, role:org-admin, clusters, get, *, allow #alusters相关允许p, role:org-admin, repositories, get, *, allowp, role:org-admin, repositories, create, *, allowp, role:org-admin, repositories, update, *, allowp, role:org-admin, repositories, delete, *, allowp, role:org-admin, projects, get, *, allowp, role:org-admin, projects, create, *, allowp, role:org-admin, projects, update, *, allowp, role:org-admin, projects, delete, *, allowp, role:org-admin, logs, get, *, allowp, role:org-admin, exec, create, */*, allowg, alice, role:org-admin #role org-admin绑定用户alice
参考:
https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
