Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,7 @@ include::modules/gitops-creating-an-application-by-using-the-argo-cd-dashboard.a
include::modules/gitops-creating-an-application-by-using-the-oc-tool.adoc[leveloffset=+1]

include::modules/gitops-synchronizing-your-application-application-with-your-git-repository.adoc[leveloffset=+1]

include::modules/gitops-inbuilt-permissions-for-cluster-config.adoc[leveloffset=+1]

include::modules/gitops-additional-permissions-for-cluster-config.adoc[leveloffset=+1]
54 changes: 54 additions & 0 deletions modules/gitops-additional-permissions-for-cluster-config.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
// Module included in the following assembly:
//
// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc

:_content-type: PROCEDURE
[id="gitops-additional-permissions-for-cluster-config_{context}"]
= Adding permissions for cluster configuration

You can grant permissions for an Argo CD instance to manage cluster configuration. Create a cluster role with additional permissions and then create a new cluster role binding to associate the cluster role with a service account.

.Procedure

. Log in to the {product-title} web console as an admin.
. In the wev console, select **User Management** -> **Roles** -> **Create Role**. Use the following `ClusterRole` YAML template to add rules to specify the additional permissions.
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secrets-cluster-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
----
. Click **Create** to add the cluster role.
. Now create the cluster role binding. In the web console, select **User Management** -> **Role Bindings** -> **Create Binding**.
. Select **All Projects** from the **Project** drop-down.
. Click **Create binding**.
. Select **Binding type** as **Cluster-wide role binding (ClusterRoleBinding)**.
. Enter a unique value for the **RoleBinding name**.
. Select the newly created cluster role or an existing cluster role from the drop down list.
. Select the **Subject** as **ServiceAccount** and the provide the **Subject namespace** and **name**.
.. **Subject namespace**: `openshift-gitops`
.. **Subject name**: `openshift-gitops-argocd-application-controller`
. Click **Create**. The YAML file for the `ClusterRoleBinding` object is as follows:
+
[source,yaml]
----
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-role-binding
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
----

25 changes: 25 additions & 0 deletions modules/gitops-inbuilt-permissions-for-cluster-config.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// Module included in the following assembly:
//
// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc

:_content-type: REFERENCE
[id="gitops-inbuilt-permissions-for-cluster-config_{context}"]
= In-built permissions for cluster configuration

By default, the Argo CD instance has permissions to manage specific cluster-scoped resources such as platform Operators, optional OLM Operators and user management.

[NOTE]
====
Argo CD does not have cluster-admin permissions.
====

Permissions for the Argo CD instance:
|===
|**Resources** |**Descriptions**
|Resource Groups | Configure the user or administrator
|`operators.coreos.com` | Optional Operators managed by OLM
|`user.openshift.io` , `rbac.authorization.k8s.io` | Groups, Users and their permissions
|`config.openshift.io` | Control plane Operators managed by CVO used to configure cluster-wide build configuration, registry configuration and scheduler policies
|`storage.k8s.io` | Storage
|`console.openshift.io` | Console customization
|===