You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be useful to be able to skip setting up cluster manager RBAC for ArgoCD SA when performing argocd cluster add in environments where predefined roles described by ArgoCDManagerNamespacePolicyRules and ArgoCDManagerClusterPolicyRules do not comply with specific access and/or legal/policy requirements.
Motivation
InstallClusterManagerRBAC method of the clusterauth package is somewhat opinionated about rolebindings and role definitions for "argocd-manager" SA (read: those definitions are hardcoded). It is called whenever users tries to add a new cluster via argocd cluster add command.
Sometimes it is desirable however to manually pre-configure such bindings and/or modify them in order to comply with existing infrastructure requirements. For example, user might choose to create customized definitions for argocd-manager-role-binding and argocd-manager-role before adding a cluster or its namespace into ArgoCD.
Proposal
A simple CLI flag --skip-rbac-setup for argocd cluster add command should suffice for most use-cases. If flag is present command should skip setting up pre-defined RBAC entities and only get SA token to be passed to the server.
The text was updated successfully, but these errors were encountered:
)
* Add "skip-rbac-setup" flag to "cluster add" command
"InstallClusterManagerRBAC" method of the clusterauth package
is somewhat opinionated about rolebindings and role definitions
for "argocd-manager" SA. Sometimes it is desirable however to manually
pre-configure such bindings and/or modify them in order to comply
with existing infrastructure requirements.
This commit introduces a new option "--skip-rbac-setup" which allows operator
to skip the aforementioned "InstallClusterManagerRBAC" method call.
* Modified --skip-rbac-setup into --service-account flag
* use reference instead of hardoded SA name
Summary
It would be useful to be able to skip setting up cluster manager RBAC for ArgoCD SA when performing
argocd cluster add
in environments where predefined roles described byArgoCDManagerNamespacePolicyRules
andArgoCDManagerClusterPolicyRules
do not comply with specific access and/or legal/policy requirements.Motivation
InstallClusterManagerRBAC
method of the clusterauth package is somewhat opinionated about rolebindings and role definitions for "argocd-manager" SA (read: those definitions are hardcoded). It is called whenever users tries to add a new cluster viaargocd cluster add
command.Sometimes it is desirable however to manually pre-configure such bindings and/or modify them in order to comply with existing infrastructure requirements. For example, user might choose to create customized definitions for
argocd-manager-role-binding
andargocd-manager-role
before adding a cluster or its namespace into ArgoCD.Proposal
A simple CLI flag
--skip-rbac-setup
forargocd cluster add
command should suffice for most use-cases. If flag is present command should skip setting up pre-defined RBAC entities and only get SA token to be passed to the server.The text was updated successfully, but these errors were encountered: