Document multitenancy support in GitOps

Srivaralakshmi · Srivaralakshmi · commit 77666e369e7c · 2024-12-12T21:27:44.000+05:30
Addressing SME review comments

IMplementing SME review comments

pdating and adding info to the docinfo.xml file

Second round of SME review comments incorporation

Fixing nitpick

Incorporating SME + peer review comments

updating docinfo.xml file
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -96,6 +96,13 @@ Topics:
 - Name: Managing the application set resources in non-control plane namespaces
   File: managing-app-sets-in-non-control-plane-namespaces
 ---
+Name: Multitenancy
+Dir: multitenancy
+Distros: openshift-gitops
+Topics:
+- Name: Multitenancy support in GitOps
+  File: multitenancy-support-in-gitops
+---
 Name: Declarative cluster configuration
 Dir: declarative_clusterconfig
 Distros: openshift-gitops
diff --git a/argocd_instance/setting-up-argocd-instance.adoc b/argocd_instance/setting-up-argocd-instance.adoc
@@ -21,6 +21,12 @@ For {gitops-shortname} version 1.13 and later:
 
 To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance. By default, any new user-defined instance has permissions to manage resources only in the namespace where it is deployed.
 
+[WARNING]
+====
+* A Kubernetes user with access to the Argo CD namespace is an Argo CD administrator and can bypass any role-based access control (RBAC) restrictions configured in Argo CD. Never grant non-administrator users any read or write access to the Argo CD namespace.
+* If non-administrator users create applications, do not allow them to be bound to the default `AppProject` custom resource (CR) because it has no restrictions. Otherwise, the Kubernetes permissions of the Argo CD instances and the default `AppProject` CR allow deployment of everything everywhere. To prevent this situation, lock down the default `AppProject` CR so that no one can use it accidentally, even if someone misconfigures the Argo CD RBAC.
+====
+
 You can create a user-defined Argo CD instance in any namespace, other than the `openshift-gitops` namespace.
 
 [IMPORTANT]
diff --git a/declarative_clusterconfig/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc b/declarative_clusterconfig/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
@@ -67,4 +67,5 @@ include::modules/gitops-installing-olm-operators-using-gitops.adoc[leveloffset=+
 == Additional resources
 
 * xref:../installing_gitops/installing-argocd-gitops-cli.adoc#installing-argocd-gitops-cli[Installing the {gitops-shortname} CLI]
-* xref:../gitops_cli_argocd/argocd-gitops-cli-reference.adoc#argocd-gitops-cli-reference[Basic {gitops-shortname} argocd commands]
+* xref:../gitops_cli_argocd/argocd-gitops-cli-reference.adoc#argocd-gitops-cli-reference[Basic {gitops-shortname} argocd commands]
+* xref:../multitenancy/multitenancy-support-in-gitops.adoc#multitenancy-support-in-gitops[Multitenancy support in {gitops-shortname}]
diff --git a/modules/gitops-argocd-projects.adoc b/modules/gitops-argocd-projects.adoc
@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * multitenancy/multitenancy-support-in-gitops.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="gitops-argocd-projects_{context}"]
+= Argo CD projects
+
+Argo CD projects, not to be confused with {OCP} projects, provide a way to group applications together. With Argo CD projects, you can specify restrictions on Applications concerning what resources can be deployed and where they can be deployed. Additionally, you can enable Argo CD role-based access control (RBAC) rules and permissions by defining them more granularly at the project level versus the global level in the Argo CD custom resource (CR).
+
+While you can define tenant RBAC globally in the Operator’s Argo CD CR, you should define tenant RBAC along with restrictions in the `AppProject` CR.
+
+If you have a large number of tenants, attempting to manage all tenants with global RBAC might lead to a lot of repetition. 
+
+If you have many instances of tenants, some of the project configurations might be common across tenant projects. To reduce duplication and minimize maintenance, use global projects for common configuration and inherit them in tenant projects.
+
+[NOTE]
+====
+Always define your projects and never use the default project created with an Argo CD installation by the Operator.
+====
diff --git a/modules/gitops-argocd-rbac.adoc b/modules/gitops-argocd-rbac.adoc
@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * multitenancy/multitenancy-support-in-gitops.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="gitops-argocd-rbac_{context}"]
+= Argo CD role-based access control (RBAC)
+
+Access controls in {gitops-title} are managed at two distinct levels as follows:
+
+* At the Kubernetes level, the {gitops-shortname} Argo CD Application Controller interacts with one or more clusters to deploy various resources by using a single Kubernetes service account per cluster. This service account must have sufficient permissions to deploy resources for all tenants and use cases that this instance of Argo CD is managing.
+* At the Argo CD level, the {gitops-shortname} Argo CD Application Controller includes its own RBAC permissions model independent of Kubernetes. To manage the user-level access, you can use this RBAC model independently of the underlying Kubernetes permissions. You can use this capability to provide access to Argo CD applications that a user would not have access to from a purely Kubernetes perspective.
+
+Because these two access controls and the interaction between components are distinct and separate, privilege escalation becomes a concern when designing a multitenant solution with Argo CD. Privilege escalation is when a tenant leverages the increased privileges of the application controller’s service account to perform actions they would not typically be permitted to perform. You can mitigate the privilege escalation in an Argo CD instance by using the Argo CD RBAC or separate instances of Argo CD.
diff --git a/modules/gitops-cluster-scoped-instance.adoc b/modules/gitops-cluster-scoped-instance.adoc
@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * multitenancy/multitenancy-support-in-gitops.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="gitops-cluster-scoped-instance_{context}"]
+= Cluster-scoped instance 
+
+A cluster-scoped instance is intended to deploy and manage resources across a cluster.
+
+[NOTE]
+====
+If you intend to use the _Applications in any namespace_ feature, choose the mode of the Argo CD instance scope as cluster-scoped instance.
+====
+
+Cluster-scoped instances have access to cluster-level resources and thus are typically, but not always, used for cluster configuration. You can choose to elevate certain namespace-scoped Argo CD instances to become cluster-scoped. To elevate the instances, you must modify the `Subscription` resource of the {gitops-shortname} Operator.
+
+[IMPORTANT]
+====
+* Ensure you give careful consideration while elevating instances.
+* Do not elevate instances that are self-managed by application delivery teams. Elevating such instances would be a severe security risk to the cluster because this action makes users of self-managed instances cluster administrators, and gives them full control over the permissions. 
+====
+
+Much care must be taken when setting up multitenancy configuration within Argo CD. For example, in a use case where cluster administrators want to set up an Argo CD instance that is shared among multiple application delivery teams and is managed by the cluster administrators, having a custom cluster-scoped instance might be what you need.
+
+.How does this method work?
+
+To prevent users from deploying Argo CD instances with `cluster-admin` privileges, you must identify the namespaces with cluster privileges by using the `ARGOCD_CLUSTER_CONFIG_NAMESPACES` environment variable in the `Subscription` resource. 
+
+Because non-cluster administrators do not have access to the `Subscription` resource, they cannot elevate the privileges of their instance and bypass cluster security.
+
+When an instance is designated as cluster-scoped, the Operator automatically creates a set of cluster role and cluster role bindings for the Argo CD Application Controller and server service accounts in that namespace. This default role is not intended to be the equivalent of the standard `cluster-admin` role. It is given a much smaller set of permissions. These permissions can be extended by creating additional cluster roles or cluster role bindings as needed.
diff --git a/modules/gitops-default-cluster-scoped-instance.adoc b/modules/gitops-default-cluster-scoped-instance.adoc
@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * multitenancy/multitenancy-support-in-gitops.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="gitops-default-cluster-scoped-instance_{context}"]
+= Default cluster-scoped instance 
+
+After you install the {gitops-shortname} Operator, by default, it instantiates a cluster-scoped instance in the `openshift-gitops` namespace. This instance is set up in a very opinionated way and is intended to allow cluster administrators to manage certain cluster configuration resources.
+
+[IMPORTANT]
+====
+* Do not use the default cluster-scoped instance for anything else, such as application delivery. 
+* Do not grant permission to users who do not have `cluster-admin` roles to access the default cluster-scoped instance.
+====
+
+The default instance does not have full `cluster-admin` privileges. It has read access to all resources in the cluster, but it can only deploy a limited set of resources.
+
+[NOTE]
+====
+Use the default Argo CD instance in the `openshift-gitops` namespace for cluster configuration and delegate tenant use cases to one or many separate instances in other namespaces.
+====
diff --git a/modules/gitops-inbuilt-permissions-for-cluster-config.adoc b/modules/gitops-inbuilt-permissions-for-cluster-config.adoc
@@ -10,7 +10,8 @@ By default, the Argo CD instance has permissions to manage specific cluster-scop
 
 [NOTE]
 ====
-Argo CD does not have cluster-admin permissions.
+* Argo CD does not have `cluster-admin` permissions.
+* You can extend the permissions bound to any Argo CD instances managed by the {gitops-shortname} Operator. However, you must not modify the permission resources, such as roles or cluster roles created by the {gitops-shortname} Operator, because the Operator might reconcile them back to their initial state. Instead, create dedicated role and cluster role objects and bind them to the appropriate service account that the application controller uses.
 ====
 
 Permissions for the Argo CD instance:
diff --git a/modules/gitops-namespace-scoped-instance.adoc b/modules/gitops-namespace-scoped-instance.adoc
@@ -0,0 +1,35 @@
+// Module included in the following assemblies:
+//
+// * multitenancy/multitenancy-support-in-gitops.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="gitops-namespace-scoped-instance_{context}"]
+= Namespace-scoped instance (Application delivery instance)
+
+After you create an Argo CD custom resource (CR) in one of your namespaces, the {gitops-shortname} Operator starts an Argo CD in this namespace, which you can use for application delivery. In its initial state, this instance has permission to deploy resources only in the same namespace in which it is installed. However, you may need to configure the instance to meet your specific requirements.
+
+With the {gitops-shortname} Operator, you can extend the permissions of the Argo CD instance to enable the Argo CD Application Controller to deploy resources into other namespaces apart from where it is installed. 
+
+[NOTE]
+====
+The roles that the {gitops-shortname} Operator in the namespace creates are namespace-scoped and only have access to namespace resources. The Operator cannot perform any actions outside of the namespaces it manages.
+====
+
+.How does this method work?
+
+The {gitops-shortname} Operator allows OpenShift users to instantiate Argo CD instances in their namespaces, as long as they have permission to create Argo CD resources in the `argoproj.io/v1alpha1` or `argoproj.io/v1beta1` API in their namespace. Currently, a namespace-scoped instance has full administrative permissions for one or many namespaces it manages, similar to allowing all verbs for all resources within that namespace.
+
+For the Argo CD Application Controller to deploy resources into any other namespace, you need Kubernetes roles and role bindings to label and indicate these namespaces that you want a namespace-scoped instance to manage. The {gitops-shortname} Operator supports the use of the `argocd.argoproj.io/managed-by` label to automatically create these roles and role bindings. Use this label and set the value to indicate the managed namespaces. Then, with the `argocd.argoproj.io/managed-by` label, when you deploy the {gitops-shortname} Operator in the namespace-scoped instance mode, it creates a set of roles and role bindings in every namespace that the instance manages. 
+
+[IMPORTANT]
+====
+The `argocd.argoproj.io/managed-by` label only works for namespaces in the same cluster as the {gitops-shortname} Operator. For remote clusters, you must define the permissions manually.
+====
+
+By default, when labeling the namespace using the `managed-by` label, the {gitops-shortname} Operator gives the Argo CD Application Controller permissions equivalent to the Kubernetes default `admin` cluster role for the labeled namespace. However, you can opt to define an alternate cluster role that is used for the controller and server components by using the `CONTROLLER_CLUSTER_ROLE` and `CONTROLLER_SERVER_ROLE` environment variables respectively in the Operator's `Subscription` resource.  When you provide these variables, the Operator will not create a default role in the namespace but rather only create a role binding in the namespace of the corresponding cluster role. It is up to the administrator to create the cluster role, having full control over the permissions.
+
+[NOTE]
+====
+* When defining your role, Argo CD will attempt to interact with all resources. Therefore, you must either provide permission to `view`, `get`, and `watch` all resources in your custom cluster role, or configure the Argo CD CR to include or exclude specific resources through the `resourceInclusions` or `resourceExclusions` fields defined in the role.
+* It is not possible to manage cluster-scoped resources, such as namespaces, custom resource definitions (CRDs), or cluster roles with a namespace-scoped instance.
+====
diff --git a/modules/gitops-using-argo-cd-instance-to-manage-cluster-scoped-resources.adoc b/modules/gitops-using-argo-cd-instance-to-manage-cluster-scoped-resources.adoc
@@ -6,6 +6,11 @@
 [id="using-argo-cd-instance-to-manage-cluster-scoped-resources_{context}"]
 = Using an Argo CD instance to manage cluster-scoped resources
 
+[WARNING]
+====
+Do not elevate the permissions of Argo CD instances to be cluster-scoped unless you have a distinct use case that requires it. Only users with `cluster-admin` privileges should manage the instances you elevate. Anyone with access to the namespace of a cluster-scoped instance can elevate their privileges on the cluster to become a cluster administrator themselves.
+====
+
 To manage cluster-scoped resources, update the existing `Subscription` object for the {gitops-title} Operator and add the namespace of the Argo CD instance to the `ARGOCD_CLUSTER_CONFIG_NAMESPACES` environment variable in the `spec` section.
 
 .Procedure
diff --git a/multitenancy/_attributes b/multitenancy/_attributes
@@ -0,0 +1 @@
+../_attributes
diff --git a/multitenancy/docinfo.xml b/multitenancy/docinfo.xml
@@ -0,0 +1,11 @@
+<title>Multitenancy</title>
+<productname>{product-title}</productname>
+<productnumber>{product-version}</productnumber>
+<subtitle>Understanding multitenancy support in GitOps</subtitle>
+<abstract>
+    <para>This document provides an understanding of multitenancy support in GitOps. It also provides an understanding of Argo CD instance scopes and when to choose a particular mode.</para>
+</abstract>
+<authorgroup>
+    <orgname>Red Hat OpenShift Documentation Team</orgname>
+</authorgroup>
+<xi:include href="Common_Content/Legal_Notice.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
diff --git a/multitenancy/images b/multitenancy/images
@@ -0,0 +1 @@
+../images
diff --git a/multitenancy/modules b/multitenancy/modules
@@ -0,0 +1 @@
+../modules
diff --git a/multitenancy/multitenancy-support-in-gitops.adoc b/multitenancy/multitenancy-support-in-gitops.adoc
@@ -0,0 +1,66 @@
+:_content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="multitenancy-support-in-gitops"]
+= Multitenancy support in GitOps
+:context: multitenancy-support-in-gitops
+
+toc::[]
+
+Multitenancy is a software architecture where a single software instance serves multiple distinct user groups, or tenants. Using multitenancy, you can share a single Argo CD instance to deploy resources while maintaining isolation between users. This section helps cluster administrators to understand Argo CD instance scopes and when to choose a particular mode.
+
+With {gitops-title} Operator on {OCP}, as a cluster administrator, you can provide multitenant access to the cluster for application delivery teams (tenants). You can allow tenants to create and manage dedicated Argo CD instances in their user-defined namespaces without having administrative permissions. The tenants have full autonomy and can tailor this instance to their needs and requirements without interfering with other tenants.
+
+[NOTE]
+====
+For a multitenant cluster, the person managing the Argo CD instance may not be the person who manages the cluster and its users. Therefore, you cannot have the Argo CD Application Controller (`argocd-application-controller` component) as a superuser in the cluster.
+====
+
+The Argo CD Application Controller reconciles resources in the managed clusters. Therefore, to use multitenancy in the {gitops-shortname} Operator, depending on your use cases, tenants, and requirements, you must configure, grant, extend, or restrict specific permissions explicitly to Argo CD instances, applications, and on remote clusters to perform certain operations.
+
+[id="gitops-argocd-instance-scopes_{context}"]
+== Argo CD instance scopes
+
+The {gitops-title} Operator creates instances that you can classify broadly into the following modes, all supporting multitenancy:
+
+* Namespace-scoped instance (Application delivery instance)
+* Cluster-scoped instance
+* Default cluster-scoped instance
+
+// Namespace-scoped instance (Application delivery instance)
+include::modules/gitops-namespace-scoped-instance.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../argocd_instance/setting-up-argocd-instance.adoc#gitops-deploy-resources-different-namespaces_setting-up-argocd-instance[Deploying resources to a different namespace]
+
+// Cluster-scoped instance
+include::modules/gitops-cluster-scoped-instance.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../argocd_applications/managing-apps-in-non-control-plane-namespaces.adoc#managing-apps-in-non-control-plane-namespaces[Managing the application resources in non-control plane namespaces]
+
+// Default cluster-scoped instance
+include::modules/gitops-default-cluster-scoped-instance.adoc[leveloffset=+2]
+
+[id="important-considerations-when-adopting-the-multitenancy-model_{context}"]
+== Important considerations when adopting the multitenancy model
+
+Granting multitenant cluster administration privileges might allow tenants to bypass any multitenancy efforts and permission restrictions because they might elevate their privileges using permissions granted to the application by Argo CD. To prevent such situations, you must understand the permission model for Argo CD installed through the {gitops-title} Operator and how to leverage it to be successful with OpenShift {gitops-shortname} for application delivery.
+
+// Argo CD role-based access control (RBAC)
+include::modules/gitops-argocd-rbac.adoc[leveloffset=+2]
+
+// Argo CD projects
+include::modules/gitops-argocd-projects.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* xref:../understanding_openshift_gitops/about-redhat-openshift-gitops.adoc#gitops-openshift-go-common-terms_about-redhat-openshift-gitops[Glossary of common terms for OpenShift {gitops-shortname}]
+* link:https://developers.redhat.com/articles/2023/03/06/5-global-environment-variables-provided-openshift-gitops#[5 global environment variables provided by {gitops-title}]
+* xref:../declarative_clusterconfig/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc#configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations[Elevating Argo CD instances to cluster-scoped instances]
+* link:https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/[Understanding on how to set up the role-based access control (RBAC) policies]
+* link:https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#configuring-global-projects-v18[Configuring global projects]
+* link:https://www.redhat.com/en/blog/a-guide-to-using-gitops-and-argocd-with-rbac[Using {gitops-shortname} and Argo CD with RBAC]
diff --git a/multitenancy/snippets b/multitenancy/snippets
@@ -0,0 +1 @@
+../snippets
