From 6aa96049c7b65f6f540052d11a56dab0c31a8b7a Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Fri, 20 Jan 2023 17:08:31 +0100 Subject: [PATCH] DEV-796: added argocd-rbac stuff to restrict mobene-access --- clusterspecifics/appprojects/mobene.yaml | 25 ------------------------ values.yaml | 8 ++++++-- 2 files changed, 6 insertions(+), 27 deletions(-) diff --git a/clusterspecifics/appprojects/mobene.yaml b/clusterspecifics/appprojects/mobene.yaml index dd2afeb..0ef5d3b 100644 --- a/clusterspecifics/appprojects/mobene.yaml +++ b/clusterspecifics/appprojects/mobene.yaml @@ -34,28 +34,3 @@ spec: server: https://kubernetes.default.svc - namespace: mobene-keycloak server: https://kubernetes.default.svc - - roles: - - description: Group to developers to deploy on DEV environment - groups: - - mobenedevs - name: mobene-devs - policies: - - >- - p, proj:mobene:mobenedevs, applications, get, - mobene/*, allow - - >- - p, proj:mobene:mobenedevs, applications, create, - mobene/*, deny - - >- - p, proj:mobene:mobenedevs, applications, update, - mobene/*, deny - - >- - p, proj:mobene:mobenedevs, applications, delete, - mobene/*, deny - - >- - p, proj:mobene:mobenedevs, applications, sync, - mobene/*, allow - - >- - p, proj:mobene:mobenedevs, applications, override, - mobene/*, deny diff --git a/values.yaml b/values.yaml index c9ac581..f0eee71 100644 --- a/values.yaml +++ b/values.yaml @@ -16,11 +16,15 @@ bootstrap: clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "groups"] rbacConfig: - policy.default: role:readonly + policy.default: '' policy.csv: | g, admin, role:admin g, argocd-admins, role:admin - g, mobenedevs, role:mobene-devs + g, mobenedevs, role:mobene-users + p, role:mobene-users, project, get, mobene, allow + p, role:mobene-users, applications, get, mobene/*, allow + p, role:mobene-users, applications, sync, mobene/*, allow + p, role:mobene-users, repositories, get, *, allow stage: prodwork01 domain: smardigo.digital