安全模型
场景
用户 |
角色 |
资源范围 |
职责 |
oneadmin |
超级管理员 |
所有 |
|
team01-admin |
项目管理员 |
项目team01 |
|
team02-admin |
项目管理员 |
项目team02 |
|
team01-user01 |
应用管理员 |
team01/production-app |
|
team01-user02 |
应用管理员 |
team01/staging-app |
|
操作步骤
(1)编辑argocd/argocd-cm 新增本地用户 (目前需要手动编辑cm)
data: accounts.oneadmin: apiKey,login accounts.oneadmin.enabled: "true" accounts.team01-admin: login accounts.team01-admin.enabled: "true" accounts.team01-user01: login accounts.team01-user01.enabled: "true" accounts.team01-user02: login accounts.team01-user02.enabled: "true" accounts.team02-admin: login accounts.team02-admin.enabled: "true" admin.enabled: "false"
(2)编辑argocd/argocd-rbac-cm 为本地用户设置RBAC Rules(目前需要手动编辑cm)
data: policy.csv: |2 ... p, role:team01-admin, projects, get, team01, allow p, role:team01-admin, repositories, *, team01/*, allow p, role:team01-admin, applications, *, team01/*, allow p, role:team01-admin, repositories, get, *, allow p, role:team01-admin, clusters, get, *, allow p, role:team02-admin, projects, get, team02, allow p, role:team02-admin, repositories, *, team02/*, allow p, role:team02-admin, applications, *, team02/*, allow p, role:team02-admin, repositories, get, *, allow p, role:team02-admin, clusters, get, *, allow p, role:team01-user01, projects, get, team01, allow p, role:team01-user01, repositories, get, team01/*, allow p, role:team01-user01, repositories, get, *, allow p, role:team01-user01, clusters, get, *, allow p, role:team01-user01, applications, *, team01/production-app, allow p, role:team01-user02, projects, get, team01, allow p, role:team01-user02, repositories, get, team01/*, allow p, role:team01-user02, repositories, get, *, allow p, role:team01-user02, clusters, get, *, allow p, role:team01-user02, applications, *, team01/staging-app, allow ... g, team01-admin, role:team01-admin g, team02-admin, role:team02-admin g, team01-user01, role:team01-user01 g, team01-user02, role:team01-user02
(3) 查看本地用户并为其设置密码(oneadmin操作)
export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward' argocd account list NAME ENABLED CAPABILITIES admin false login oneadmin true apiKey, login team01-admin true login team01-user01 true login team01-user02 true login team02-admin true login
设置密码:
argoargocd account update-password --account <username> --current-password <current password> --new-password <new password>
(4) 添加全局repository(oneadmin操作)
argocd repo add https://code.aliyun.com/bigteam/echo-server01.git argocd repo add https://code.aliyun.com/bigteam/echo-server02.git argocd repo list TYPE NAME REPO INSECURE OCI LFS CREDS STATUS MESSAGE PROJECT git https://code.aliyun.com/bigteam/echo-server01.git false false false false Successful git https://code.aliyun.com/bigteam/echo-server02.git false false false false Successful
(5) 创建和设置project(oneadmin操作)
创建project team01 和team02
允许project team01中使用git repository https://code.aliyun.com/bigteam/echo-server01.git 和cluster https://47.111.181.57:6443
允许project team01中使用git repository https://code.aliyun.com/bigteam/echo-server02.git 和cluster https://47.97.216.237:6443
argocd proj create team01 argocd proj add-source team01 https://code.aliyun.com/bigteam/echo-server01.git argocd proj add-destination team01 https://47.111.181.57:6443 "*" argocd proj create team02 argocd proj add-source team02 https://code.aliyun.com/bigteam/echo-server02.git argocd proj add-destination team02 https://47.97.216.237:6443 "*"
ps:这里要求oneadmin有update cluster的权限,需要更新当前的oneadmin role policy
(6)project内创建repositories (team01-admin和team02-admin分别操作)
首先使用team01-admin用户登录
argocd login Username: team01-admin Password: 'team01-admin:login' logged in successfully Context 'port-forward' updated
在team01内创建repositories
argocd repo add https://code.aliyun.com/team01/echo-server.git --project team01 Repository 'https://code.aliyun.com/team01/echo-server.git' added
使用team02-admin用户登录
argocd login Username: team02-admin Password: 'team01-admin:login' logged in successfully Context 'port-forward' updated
在team02内创建repositories
argocd repo add https://code.aliyun.com/team02/echo-server.git --project team02 Repository 'https://code.aliyun.com/team02/echo-server.git' added
测试和验证
首先使用team01-admin用户登录
argocd login Username: team01-admin Password: 'team01-admin:login' logged in successfully Context 'port-forward' updated
项目管理员权限
projects资源
测试team01-admin对projects资源的操作权限:
argocd account can-i create projects "*" no argocd account can-i update projects "team01" no argocd account can-i delete projects "team01" no argocd account can-i get projects "team01" yes argocd account can-i get projects "team02" no
即项目管理员只能看到project team01,无其他操作权限。
repositories资源
测试team01-admin对repositories资源的操作权限:
argocd account can-i create repositories "*" no argocd account can-i update repositories "*" no argocd account can-i delete repositories "*" no argocd account can-i get repositories "*" yes argocd account can-i create repositories "team01/*" yes argocd account can-i update repositories "team01/*" yes argocd account can-i delete repositories "team01/*" yes argocd account can-i get repositories "team01/*" yes
即项目管理员只能查看全局repositories,可以增删改查team01下的repositories
clusters资源
测试team01-admin对clusters资源的操作权限:
argocd account can-i create clusters "*" no argocd account can-i update clusters "*" no argocd account can-i delete clusters "*" no argocd account can-i get clusters "*" yes argocd account can-i create clusters "team01/*" no argocd account can-i update clusters "team01/*" no argocd account can-i delete clusters "team01/*" no
即项目管理员只能查看全局clusters,无其他操作权限
applications资源
测试team01-admin对applications资源的操作权限:
argocd account can-i create applications "*" no argocd account can-i update applications "*" no argocd account can-i delete applications "*" no argocd account can-i get applications "*" no argocd account can-i create applications "team01/*" yes argocd account can-i update applications "team01/*" yes argocd account can-i delete applications "team01/*" yes argocd account can-i get applications "team01/*" yes
即项目管理员只有team01下的增删改查权限,无其他操作权限
application创建测试
查看项目管理员team01-admin对project team01的资源权限信息,可以引用的repositories是 全局repo https://code.aliyun.com/bigteam/echo-server01.git 和项目内repo https://code.aliyun.com/team01/echo-server.git, 可以引用的clusters为 https://47.111.181.57:6443
argocd proj get team01 Name: team01 Description: Destinations: https://47.111.181.57:6443,* Repositories: https://code.aliyun.com/bigteam/echo-server01.git Scoped Repositories: https://code.aliyun.com/team01/echo-server.git Allowed Cluster Resources: <none> Scoped Clusters: <none> Denied Namespaced Resources: <none> Signature keys: <none> Orphaned Resources: disabled
测试使用不同的repositories和clustrers创建应用:
尝试在在team01之外创建application失败(符合预期)
argocd app create team01-admin-echo-server --repo https://code.aliyun.com/bigteam/echo-server02.gitargocd app create team01-admin-echo-s--repo erver https://47.97.216.237:6443 FATA[0001] rpc error: code = PermissionDenied desc = permission denied: applications, create, default/team01-admin-echo-server, sub: team01-admin, iat: 2022-10-20T03:20:47Z
使用没有被授权的repositories或clusters:
argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server02.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://47.97.216.237:6443 FATA[0002] rpc error: code = InvalidArgument desc = application spec for team01-admin-echo-server is invalid: InvalidSpecError: application repo https://code.aliyun.com/bigteam/echo-server02.git is not permitted in project 'team01';InvalidSpecError: application destination {https://xx.xx.xx.xx:6443 team01-admin-echo-server} is not permitted in project 'team01
使用team01允许的repositories和clusters:
argocd app create team01-admin-echo-server --project team01 --repo https://code.aliyun.com/bigteam/echo-server01.git --path manifests/directory/production --dest-namespace team01-admin-echo-server --dest-server https://xx.xx.xx.xx:6443 application 'team01-admin-echo-server' created
应用管理员权限
只有project内application资源的操作权限
