From 2aa1fc1f2a70a9d478b97a67d1f3787b3cad1d92 Mon Sep 17 00:00:00 2001 From: Debargho Ghosh Date: Wed, 6 Jul 2022 15:17:37 +0530 Subject: [PATCH] added cluster permission management made review changes made review changes made review changes made review changes made review changes made review changes made review changes --- ...plication-with-cluster-configurations.adoc | 4 ++ ...tional-permissions-for-cluster-config.adoc | 54 +++++++++++++++++++ ...nbuilt-permissions-for-cluster-config.adoc | 25 +++++++++ 3 files changed, 83 insertions(+) create mode 100644 modules/gitops-additional-permissions-for-cluster-config.adoc create mode 100644 modules/gitops-inbuilt-permissions-for-cluster-config.adoc diff --git a/cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc b/cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc index f9f5550d090f..34c10f68de15 100644 --- a/cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc +++ b/cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc @@ -20,3 +20,7 @@ include::modules/gitops-creating-an-application-by-using-the-argo-cd-dashboard.a include::modules/gitops-creating-an-application-by-using-the-oc-tool.adoc[leveloffset=+1] include::modules/gitops-synchronizing-your-application-application-with-your-git-repository.adoc[leveloffset=+1] + +include::modules/gitops-inbuilt-permissions-for-cluster-config.adoc[leveloffset=+1] + +include::modules/gitops-additional-permissions-for-cluster-config.adoc[leveloffset=+1] diff --git a/modules/gitops-additional-permissions-for-cluster-config.adoc b/modules/gitops-additional-permissions-for-cluster-config.adoc new file mode 100644 index 000000000000..2054dc4a39fb --- /dev/null +++ b/modules/gitops-additional-permissions-for-cluster-config.adoc @@ -0,0 +1,54 @@ +// Module included in the following assembly: +// +// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc + +:_content-type: PROCEDURE +[id="gitops-additional-permissions-for-cluster-config_{context}"] += Adding permissions for cluster configuration + +You can grant permissions for an Argo CD instance to manage cluster configuration. Create a cluster role with additional permissions and then create a new cluster role binding to associate the cluster role with a service account. + +.Procedure + +. Log in to the {product-title} web console as an admin. +. In the wev console, select **User Management** -> **Roles** -> **Create Role**. Use the following `ClusterRole` YAML template to add rules to specify the additional permissions. ++ +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secrets-cluster-role +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +---- +. Click **Create** to add the cluster role. +. Now create the cluster role binding. In the web console, select **User Management** -> **Role Bindings** -> **Create Binding**. +. Select **All Projects** from the **Project** drop-down. +. Click **Create binding**. +. Select **Binding type** as **Cluster-wide role binding (ClusterRoleBinding)**. +. Enter a unique value for the **RoleBinding name**. +. Select the newly created cluster role or an existing cluster role from the drop down list. +. Select the **Subject** as **ServiceAccount** and the provide the **Subject namespace** and **name**. +.. **Subject namespace**: `openshift-gitops` +.. **Subject name**: `openshift-gitops-argocd-application-controller` +. Click **Create**. The YAML file for the `ClusterRoleBinding` object is as follows: ++ +[source,yaml] +---- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cluster-role-binding +subjects: + - kind: ServiceAccount + name: openshift-gitops-argocd-application-controller + namespace: openshift-gitops +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +---- + diff --git a/modules/gitops-inbuilt-permissions-for-cluster-config.adoc b/modules/gitops-inbuilt-permissions-for-cluster-config.adoc new file mode 100644 index 000000000000..4bf8c7472d44 --- /dev/null +++ b/modules/gitops-inbuilt-permissions-for-cluster-config.adoc @@ -0,0 +1,25 @@ +// Module included in the following assembly: +// +// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc + +:_content-type: REFERENCE +[id="gitops-inbuilt-permissions-for-cluster-config_{context}"] += In-built permissions for cluster configuration + +By default, the Argo CD instance has permissions to manage specific cluster-scoped resources such as platform Operators, optional OLM Operators and user management. + +[NOTE] +==== +Argo CD does not have cluster-admin permissions. +==== + +Permissions for the Argo CD instance: +|=== +|**Resources** |**Descriptions** +|Resource Groups | Configure the user or administrator +|`operators.coreos.com` | Optional Operators managed by OLM +|`user.openshift.io` , `rbac.authorization.k8s.io` | Groups, Users and their permissions +|`config.openshift.io` | Control plane Operators managed by CVO used to configure cluster-wide build configuration, registry configuration and scheduler policies +|`storage.k8s.io` | Storage +|`console.openshift.io` | Console customization +|=== \ No newline at end of file