具有 kubernetes 集群角色的 ArgoCD RBAC

Question

Just reading official argo-cd documentation regarding RBAC ( https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ ), I realize that Argo RBAC configuration only supports mapping either SSO Groups (AD) or local users.

Is there any workaround or a way to configure a permission for ArgoCD by using existing kubernetes clusterroles instead of sso groups? Thanks in advance

I'm trying to do something like this

p, role:staging-db-admins, applications, create, staging-db-admins/*, allow
p, role:staging-db-admins, applications, delete, staging-db-admins/*, allow
p, role:staging-db-admins, applications, get, staging-db-admins/*, allow
p, role:staging-db-admins, applications, override, staging-db-admins/*, allow
p, role:staging-db-admins, applications, sync, staging-db-admins/*, allow
p, role:staging-db-admins, applications, update, staging-db-admins/*, allow
p, role:staging-db-admins, projects, get, staging-db-admins, allow
r, customized_clusterrole, role:staging-db-admins

Answer 1

No, since, as per docs, you can use either local users/groups, or some SSO provider, configured via Dex or standalone (keycloak/Auth0 etc).

To elaborate further, roles, and especially clusterroles make no sense outside of kubernetes itself, they are describing what you can do inside of kubernetes. RoleBindings describe actual mapping between users/groups and roles. From OIDC standpoint, they don't contain required info like Scope, Claim, End user etc.

As per kubernetes docs itself https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Kubernetes does not provide an OpenID Connect Identity Provider. You can use an existing public OpenID Connect Identity Provider (such as Google, or others). Or, you can run your own Identity Provider, such as dex, Keycloak, CloudFoundry UAA, or Tremolo Security's OpenUnison.

So if you really want to make seamless integration between k8s and argocd - you have to use some sort of SSO provider, maybe even hosted inside your cluster.