rbac argo

cluster-resources/network/deny-external-egress-trivy.yaml

@@ -1,37 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: deny-external-egress
-  namespace: trivy-system
-  labels:
-    app.kubernetes.io/managed-by: argocd
-    app.kubernetes.io/part-of: network-policies
-spec:
-  endpointSelector: {}
-  egress:
-    # Allow DNS resolution
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
-
-    # Allow cluster-internal traffic (RFC1918)
-    - toCIDR:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-        - 192.168.0.0/16
-
-    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
-    - toFQDNs:
-        - matchName: ghcr.io
-        - matchName: pkg-containers.githubusercontent.com
-      toPorts:
-        - ports:
-            - port: "443"
-              protocol: TCP

docs/REFERENCE.md

@@ -693,25 +693,7 @@ configs:
     scopes: '[groups]'
 ```
 
-**Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
+**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
-
-| KC Group | ArgoCD Role | Access |
-|----------|-------------|--------|
-| `ArgoCD Admins` | `role:admin` | Full control over all apps |
-| `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
-| `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
-| `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
-| `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
-
-**Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
-```yaml
-# infra/values/upc-dev/argocd-values.yaml
-configs:
-  rbac:
-    policy.upc-dev.csv: |
-      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
-      g, Staging Deployers, role:staging-deployer
-```
 
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless

infra/base/kustomization.yaml

@@ -20,4 +20,5 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
+- network-policies-application.yaml
 - karpor.yaml

infra/base/loki.yaml

@@ -40,9 +40,3 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/network-policies-application.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: network-policies
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: network-policies
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: cluster-resources/network
+
+  destination:
+    server: https://kubernetes.default.svc
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - Validate=true
+    - ServerSideApply=true

infra/base/tempo.yaml

@@ -40,9 +40,3 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/values/base/argocd-values.yaml

@@ -20,55 +20,10 @@ configs:
       clientSecret: $oidc.clientSecret
       requestedScopes: ["openid", "email", "profile"]
   rbac:
-    # Base RBAC — org-wide roles shared across all clusters.
-    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
-    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
     policy.csv: |
-      # Platform administrators — full control
       g, ArgoCD Admins, role:admin
-
-      # Read-only viewers — see all, change nothing
       g, ArgoCD Viewers, role:readonly
-
+    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
-      # --- Per-team roles (scoped to default project app names) ---
-      # Observability team — manage monitoring stack
-      p, role:observability, applications, get, default/prometheus, allow
-      p, role:observability, applications, get, default/loki, allow
-      p, role:observability, applications, get, default/fluent-bit, allow
-      p, role:observability, applications, get, default/tempo, allow
-      p, role:observability, applications, get, default/grafana, allow
-      p, role:observability, applications, get, default/grafana-dashboards, allow
-      p, role:observability, applications, get, default/opencost, allow
-      p, role:observability, applications, sync, default/prometheus, allow
-      p, role:observability, applications, sync, default/loki, allow
-      p, role:observability, applications, sync, default/fluent-bit, allow
-      p, role:observability, applications, sync, default/tempo, allow
-      p, role:observability, applications, sync, default/grafana, allow
-      p, role:observability, applications, sync, default/grafana-dashboards, allow
-      p, role:observability, applications, sync, default/opencost, allow
-      p, role:observability, logs, get, default/*, allow
-      g, Observability Team, role:observability
-
-      # Dev tools team — manage gitea, renovate, karpor
-      p, role:devtools, applications, get, default/gitea, allow
-      p, role:devtools, applications, get, default/gitea-actions, allow
-      p, role:devtools, applications, get, default/renovate, allow
-      p, role:devtools, applications, get, default/karpor, allow
-      p, role:devtools, applications, sync, default/gitea, allow
-      p, role:devtools, applications, sync, default/gitea-actions, allow
-      p, role:devtools, applications, sync, default/renovate, allow
-      p, role:devtools, applications, sync, default/karpor, allow
-      p, role:devtools, logs, get, default/*, allow
-      g, Dev Tools Team, role:devtools
-
-      # App developers — manage enterprise apps only
-      p, role:app-dev, applications, get, default/enterprise-apps, allow
-      p, role:app-dev, applications, sync, default/enterprise-apps, allow
-      p, role:app-dev, applications, action, default/enterprise-apps, allow
-      p, role:app-dev, logs, get, default/enterprise-apps, allow
-      g, App Developers, role:app-dev
-
-    # Deny users not in any declared KC group
     policy.default: ""
     scopes: '[groups]'
   params:

infra/values/base/keycloak-values.yaml

@@ -175,18 +175,6 @@ keycloakConfigCli:
           {
             "name": "ArgoCD Viewers",
             "path": "/ArgoCD Viewers"
-          },
-          {
-            "name": "Observability Team",
-            "path": "/Observability Team"
-          },
-          {
-            "name": "Dev Tools Team",
-            "path": "/Dev Tools Team"
-          },
-          {
-            "name": "App Developers",
-            "path": "/App Developers"
           }
         ]
       }