Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
made review changes made review changes made review changes made review changes made review changes made review changes made review changes
- Loading branch information
1 parent
8b46e72
commit 2aa1fc1
Showing
3 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
modules/gitops-additional-permissions-for-cluster-config.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
// Module included in the following assembly: | ||
// | ||
// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc | ||
|
||
:_content-type: PROCEDURE | ||
[id="gitops-additional-permissions-for-cluster-config_{context}"] | ||
= Adding permissions for cluster configuration | ||
|
||
You can grant permissions for an Argo CD instance to manage cluster configuration. Create a cluster role with additional permissions and then create a new cluster role binding to associate the cluster role with a service account. | ||
|
||
.Procedure | ||
|
||
. Log in to the {product-title} web console as an admin. | ||
. In the wev console, select **User Management** -> **Roles** -> **Create Role**. Use the following `ClusterRole` YAML template to add rules to specify the additional permissions. | ||
+ | ||
[source,yaml] | ||
---- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: secrets-cluster-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["secrets"] | ||
verbs: ["*"] | ||
---- | ||
. Click **Create** to add the cluster role. | ||
. Now create the cluster role binding. In the web console, select **User Management** -> **Role Bindings** -> **Create Binding**. | ||
. Select **All Projects** from the **Project** drop-down. | ||
. Click **Create binding**. | ||
. Select **Binding type** as **Cluster-wide role binding (ClusterRoleBinding)**. | ||
. Enter a unique value for the **RoleBinding name**. | ||
. Select the newly created cluster role or an existing cluster role from the drop down list. | ||
. Select the **Subject** as **ServiceAccount** and the provide the **Subject namespace** and **name**. | ||
.. **Subject namespace**: `openshift-gitops` | ||
.. **Subject name**: `openshift-gitops-argocd-application-controller` | ||
. Click **Create**. The YAML file for the `ClusterRoleBinding` object is as follows: | ||
+ | ||
[source,yaml] | ||
---- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: cluster-role-binding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: openshift-gitops-argocd-application-controller | ||
namespace: openshift-gitops | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: admin | ||
---- | ||
|
25 changes: 25 additions & 0 deletions
25
modules/gitops-inbuilt-permissions-for-cluster-config.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// Module included in the following assembly: | ||
// | ||
// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc | ||
|
||
:_content-type: REFERENCE | ||
[id="gitops-inbuilt-permissions-for-cluster-config_{context}"] | ||
= In-built permissions for cluster configuration | ||
|
||
By default, the Argo CD instance has permissions to manage specific cluster-scoped resources such as platform Operators, optional OLM Operators and user management. | ||
|
||
[NOTE] | ||
==== | ||
Argo CD does not have cluster-admin permissions. | ||
==== | ||
|
||
Permissions for the Argo CD instance: | ||
|=== | ||
|**Resources** |**Descriptions** | ||
|Resource Groups | Configure the user or administrator | ||
|`operators.coreos.com` | Optional Operators managed by OLM | ||
|`user.openshift.io` , `rbac.authorization.k8s.io` | Groups, Users and their permissions | ||
|`config.openshift.io` | Control plane Operators managed by CVO used to configure cluster-wide build configuration, registry configuration and scheduler policies | ||
|`storage.k8s.io` | Storage | ||
|`console.openshift.io` | Console customization | ||
|=== |