1.创建用户alice

kubectl apply -f argocd-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  # add an additional local user with apiKey and login capabilities
  #   apiKey - allows generating API keys
  #   login - allows to login using UI
  accounts.alice: apiKey, login
  # disables user. User is enabled by default
  accounts.alice.enabled: "true"

查看用户:

[root@k8s ~]# argocd account list
NAME   ENABLED  CAPABILITIES
admin  true     login
alice  true     apiKey, login

[root@k8s ~]# argocd account get --account alice
Name: alice
Enabled: true
Capabilities: apiKey, login


Tokens:
NONE

 

 

2.设置密码

argocd account update-password \
--account alice \
--current-password BI7tl958Klzm2gB4 \   #当前登陆的用户密码
--new-password Qwer@1234   #alice密码

登陆web,此时没有任何权限

 

 3.RBAC赋予权限

如果限制用户只有某个project有权限, 对应的git仓库,cluster集群信息等也要新建对应project资源

argocd cluster add kubernetes-admin@kubernetes  --project test2

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly  ##可以读所有资源,如果不设置此选项,可见性根据具体role决定
  policy.csv: |
    p, role:org-admin, applications, *, */*, deny  #app相关操作禁止
##p, role:org-admin, applications, *, test2/*, allow #只对test2 的project可以操作创建删除等动作
    p, role:org-admin, clusters, get, *, allow   #alusters相关允许
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, repositories, update, *, allow
    p, role:org-admin, repositories, delete, *, allow
    p, role:org-admin, projects, get, *, allow
    p, role:org-admin, projects, create, *, allow
    p, role:org-admin, projects, update, *, allow
    p, role:org-admin, projects, delete, *, allow
    p, role:org-admin, logs, get, *, allow
    p, role:org-admin, exec, create, */*, allow

    g, alice, role:org-admin   #role org-admin绑定用户alice 

 

 

参考:

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/

https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/