|
| 1 | +// Module included in the following assembly: |
| 2 | +// |
| 3 | +// * declarative_clusterconfig/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="gitops-configuring-respect-rbac-using-gitops_{context}"] |
| 7 | += Configuring respectRBAC using {gitops-title} |
| 8 | + |
| 9 | +The `respectRBAC` feature in Argo CD controls how Argo CD watches resources on a cluster. By default, Argo CD attempts to watch all Kubernetes resources (CRDs) on a cluster at the cluster scope. With the `respectRBAC` feature, you can restrict the ArgoCD controller from discovering or syncing specific resources using only controller RBAC, without manually configuring resource exclusions. |
| 10 | + |
| 11 | +To enable this feature, set the `.spec.controller.respectRBAC` key in the Argo CD resource. After you set this key, the controller automatically stops watching resources it cannot list or access. For example, this prevents a situation where the Argo CD cluster role restricts Argo CD from watching OpenShift Routes, which would otherwise result in an error during synchronization, stating that it cannot watch the resource. |
| 12 | + |
| 13 | +You can enable the `respectRBAC` feature by creating an Argo CD instance through the command-line interface (CLI) or the web console. |
| 14 | + |
| 15 | +.Prerequisites |
| 16 | + |
| 17 | +Ensure that you created and updated a namespace in the `Subscription` resource, so `Subscription` can host a cluster-scoped Argo CD instance. For more information, see "Using an Argo CD instance to manage cluster-scoped resources". |
| 18 | + |
| 19 | +[id="configuring-respectRBAC-using-the-cli_{context}"] |
| 20 | +== Configuring respectRBAC using the CLI |
| 21 | + |
| 22 | +You can configure the `respectRBAC` feature by using the CLI. |
| 23 | + |
| 24 | +.Procedure |
| 25 | + |
| 26 | +. Create a YAML object file, for example, `argo-cd-resource.yaml`, to configure the `respectRBAC` feature: |
| 27 | ++ |
| 28 | +.Example `ArgoCD` YAML to create `respectRBAC` |
| 29 | +[source,yaml] |
| 30 | +---- |
| 31 | +apiVersion: argoproj.io/v1beta1 |
| 32 | +kind: ArgoCD |
| 33 | +metadata: |
| 34 | + name: example-argocd #<1> |
| 35 | +spec: |
| 36 | + controller: |
| 37 | + respectRBAC: strict #<2> |
| 38 | +---- |
| 39 | +<1> Specify the name of the Argo CD instance. |
| 40 | +<2> You can specify the value of the `.spec.controller.respectRBAC` key in the `ArgoCD` resource as `normal` or `strict`. Consider setting a value as `normal` to balance accuracy and speed as resource listing is a lightweight operation. Set the value as `strict` if Argo CD reports errors indicating that it cannot access resources when you set the value as `normal`. Setting `strict` increases the number of API calls to the server and it is more accurate compared to `normal` as Argo CD performs additional validations of RBAC resources to determine permissions. |
| 41 | + |
| 42 | +. Apply the changes to the YAML file by running the following command. |
| 43 | ++ |
| 44 | +[source,terminal] |
| 45 | +---- |
| 46 | +$ oc apply -f argocd-resource.yaml -n argo-cd-instance #<1> |
| 47 | +---- |
| 48 | +<1> Specify the name of the YAML file that includes the `ArgoCD` resource and the namespace that hosts `ArgoCD`. |
| 49 | ++ |
| 50 | +. Verify that the status of the `.status.phase` field is `Available` by running the following command: |
| 51 | ++ |
| 52 | +[source,terminal] |
| 53 | +---- |
| 54 | +$ oc get argocd <argocd_instance_name> -n <argocd_namespace> -o jsonpath='{.status.phase}' #<1> |
| 55 | +---- |
| 56 | +<1> Replace `<argocd_instance_name>` with the name of your Argo CD instance for example, `example-argocd`. |
| 57 | + |
| 58 | +. Verify that the `resource.respectRBAC` parameter in the `ConfigMap` resource is updated successfully: |
| 59 | +.. To retrieve the contents of the `argocd-cm` config map, run the following command: |
| 60 | ++ |
| 61 | +[source,terminal] |
| 62 | +---- |
| 63 | +$ oc get cm argocd-cm -n <argocd_namespace> -o yaml |
| 64 | +---- |
| 65 | +.. Verify that the `argocd-cm` `ConfigMap` contains the `resource.respectRBAC` parameter and ensure its value is set to either `strict` or `normal`. |
| 66 | + |
| 67 | +[id="configuring-respectRBAC-using-the-web-UI_{context}"] |
| 68 | +== Configuring respectRBAC by using the web console |
| 69 | + |
| 70 | +You can configure `respectRBAC` in the web console. |
| 71 | + |
| 72 | +.Procedure |
| 73 | + |
| 74 | +. Log in to the {OCP} web console. |
| 75 | + |
| 76 | +. In the *Administrator* perspective of the web console, click *Operators* -> *Installed Operators*. |
| 77 | + |
| 78 | +. Create or select the project where you want to install the user-defined Argo CD instance from the *Project* list. |
| 79 | + |
| 80 | +. Select *{gitops-title}* from the installed Operators list and click the *Argo CD* tab. |
| 81 | + |
| 82 | +. Configure the `respectRBAC` parameter in the *Argo CD* tab. |
| 83 | ++ |
| 84 | +[source,yaml] |
| 85 | +---- |
| 86 | +spec: |
| 87 | + controller: |
| 88 | + respectRBAC: strict |
| 89 | +---- |
| 90 | + |
| 91 | +. Click *Create*. |
| 92 | ++ |
| 93 | +After successful installation, verify that the Argo CD instance is listed under the *Argo CD* tab and the *Status* is *Available*. |
| 94 | + |
| 95 | +. After the Argo CD instance is created, verify that the `resource.respectRBAC` parameter in the `ConfigMap` resource is updated successfully by completing the following steps. |
| 96 | + |
| 97 | +.. In the *Administrator* perspective, go to *Workload* -> *ConfigMaps*. |
| 98 | +.. In the *Project* option, select the *Argo CD* namespace. |
| 99 | +.. Select the `argocd-cm` config map. |
| 100 | +.. Select the *YAML* tab to view the `resource.respectRBAC` parameter. |
0 commit comments