rbac

ignore diff
netpol all remove
2026-04-27 11:03:12 +02:00 · 2026-04-26 23:55:55 +02:00 · 2026-04-25 16:04:13 +02:00 · 2026-04-25 11:49:17 +02:00
8 changed files with 126 additions and 36 deletions
--- a/cluster-resources/network/deny-external-egress-trivy.yaml
+++ b/cluster-resources/network/deny-external-egress-trivy.yaml
@@ -0,0 +1,37 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: deny-external-egress
  namespace: trivy-system
  labels:
    app.kubernetes.io/managed-by: argocd
    app.kubernetes.io/part-of: network-policies
 spec:
  endpointSelector: {}
  egress:
    # Allow DNS resolution
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
    # Allow cluster-internal traffic (RFC1918)
    - toCIDR:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
    - toFQDNs:
        - matchName: ghcr.io
        - matchName: pkg-containers.githubusercontent.com
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -693,7 +693,25 @@ configs:
    scopes: '[groups]'
 ```
-**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
+**Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
 | KC Group | ArgoCD Role | Access |
 |----------|-------------|--------|
 | `ArgoCD Admins` | `role:admin` | Full control over all apps |
 | `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
 | `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
 | `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
 | `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
 **Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
 ```yaml
 # infra/values/upc-dev/argocd-values.yaml
 configs:
  rbac:
    policy.upc-dev.csv: |
      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
      g, Staging Deployers, role:staging-deployer
 ```
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -20,5 +20,4 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
 - karpor.yaml
--- a/infra/base/loki.yaml
+++ b/infra/base/loki.yaml
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
@@ -1,33 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: network-policies
  namespace: argocd
  labels:
    app.kubernetes.io/name: network-policies
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: cluster-resources/network
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/tempo.yaml
+++ b/infra/base/tempo.yaml
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -20,10 +20,55 @@ configs:
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbac:
    # Base RBAC — org-wide roles shared across all clusters.
    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
    policy.csv: |
      # Platform administrators — full control
      g, ArgoCD Admins, role:admin
      # Read-only viewers — see all, change nothing
      g, ArgoCD Viewers, role:readonly
-    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
+
      # --- Per-team roles (scoped to default project app names) ---
      # Observability team — manage monitoring stack
      p, role:observability, applications, get, default/prometheus, allow
      p, role:observability, applications, get, default/loki, allow
      p, role:observability, applications, get, default/fluent-bit, allow
      p, role:observability, applications, get, default/tempo, allow
      p, role:observability, applications, get, default/grafana, allow
      p, role:observability, applications, get, default/grafana-dashboards, allow
      p, role:observability, applications, get, default/opencost, allow
      p, role:observability, applications, sync, default/prometheus, allow
      p, role:observability, applications, sync, default/loki, allow
      p, role:observability, applications, sync, default/fluent-bit, allow
      p, role:observability, applications, sync, default/tempo, allow
      p, role:observability, applications, sync, default/grafana, allow
      p, role:observability, applications, sync, default/grafana-dashboards, allow
      p, role:observability, applications, sync, default/opencost, allow
      p, role:observability, logs, get, default/*, allow
      g, Observability Team, role:observability
      # Dev tools team — manage gitea, renovate, karpor
      p, role:devtools, applications, get, default/gitea, allow
      p, role:devtools, applications, get, default/gitea-actions, allow
      p, role:devtools, applications, get, default/renovate, allow
      p, role:devtools, applications, get, default/karpor, allow
      p, role:devtools, applications, sync, default/gitea, allow
      p, role:devtools, applications, sync, default/gitea-actions, allow
      p, role:devtools, applications, sync, default/renovate, allow
      p, role:devtools, applications, sync, default/karpor, allow
      p, role:devtools, logs, get, default/*, allow
      g, Dev Tools Team, role:devtools
      # App developers — manage enterprise apps only
      p, role:app-dev, applications, get, default/enterprise-apps, allow
      p, role:app-dev, applications, sync, default/enterprise-apps, allow
      p, role:app-dev, applications, action, default/enterprise-apps, allow
      p, role:app-dev, logs, get, default/enterprise-apps, allow
      g, App Developers, role:app-dev
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
  params:
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -175,6 +175,18 @@ keycloakConfigCli:
          {
            "name": "ArgoCD Viewers",
            "path": "/ArgoCD Viewers"
          },
          {
            "name": "Observability Team",
            "path": "/Observability Team"
          },
          {
            "name": "Dev Tools Team",
            "path": "/Dev Tools Team"
          },
          {
            "name": "App Developers",
            "path": "/App Developers"
          }
        ]
      }
Author	SHA1	Message	Date
Danijel Simeunovic	85d150d3d4	rbac	2026-04-27 11:03:12 +02:00
Danijel Simeunovic	cc9c9049eb	ignore diff	2026-04-26 23:55:55 +02:00
Danijel Simeunovic	9f6c5105af	netpol all remove	2026-04-25 16:04:13 +02:00
Danijel Simeunovic	45e502d74d	argocd tls	2026-04-25 11:49:17 +02:00