Goal of this repo is to showcase ACM - GitOps operator integration and the RBAC configuration to achieve multitenancy.
The tutorial considers the following sample customer scenario
- An organization with two or more teams [ e.g. team1 and team2 ]
- Each team maintain and manages its own projects (applications). [ team1 -> project: DEV1, team2 -> project: DEV2]
- Team members granularly access and administer their projects
- Governance Policies are setup for security complaince.
The tutorial demonstrates a sample implementation for the above customer scenario.
It demos
- integration with GitOps operator
- management of ApplicationSets
- RBAC configuration for multitenancy
- Use of policy-generator for developing policies
TODO: Integration of several other features.
gatekeeper
,
namespace-operator
,
external-secrets/vault
,
integrity-shield
,
groupsync-operator
,
monitoring
,
argocd-notifications
This picture gives an overview of the environment installed by tutorial and the layout of various resources setup as part of the installation tutorial.
A: Policies (later we will convert more objects into Policies using PolicyGenerator)
- Install-Gitops-Operator
- Configure-ArgoCD (rbac: policy: g, system:cluster-admins, role:admin, role:SreAdminGrp) https://github.com/ch-stark/gitops-rbac-example/blob/main/policies/policy-config-operator-dex.yaml#L91
B: OpenShift-setup
-
Setup-Groups (ACM-Admins, Dev1-Admins, Dev1-viewers, Dev2-admins, Dev2-viewers, Developers)
-
Setup HTPassword Authentication
C: argo-projects
- default-project namespace: openshift-gitops
- dev1 project namespace: dev1
- dev2 project namespace: dev2
- policies project namespace: policies
- ArgoCD-Configuration ConfigMap and ConfigMapRBAC
E: acm-gitops
gitopscluster:
- default namespace: openshift-gitops
- dev1 namespace: dev1
- dev2 namespace: dev2
- policies namespace: policies
bindings:
- default namespace: openshift-gitops
- dev1 namespace: dev1
- dev2 namespace: dev2
- policies namespace: policies
F: application-sets
- default references default-appproject namespace: openshift-gitops
- dev1 references dev1-appproject namespace: dev1
- dev2 references dev2-appproject namespace: dev2
- policies references policies-appproject namespace: policies
Placements
So far we just place all on Hub-Cluster, will be extended
RBAC Use cases:
-
a certain user should have all permissions for all Applications and Cluster-Admin-Tasks
TODO: point to the exact role bindings here
-
a certain user should have readpermissions on one project/Application TODO: point to the exact role bindings here
-
a certain user should have admin-permissions on one project TODO: point to the exact role bindings here
-
a certain user should have admin-permissions on all projects but not cluster-admin-rights TODO: point to the exact role bindings here
-
it should show the diffent options regarding RBAC-Configuration TODO: point to the exact role bindings here
-
a certain user should only see namespaces in a certain ClusterSet TODO: point to the exact role bindings here
- https://github.com/christianh814/openshift-cluster-config
- Security-Features we get with ArgoCD (https://rcarrata.com/openshift/secure-argo-supply-chain/)
- https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/applications/index
- https://github.com/stolostron/policy-collection/issues/217
- https://github.com/tosin2013/acm-multi-cluster-argocd-dashboard
- https://github.com/joatmon08/vault-argocd
- https://cloud.redhat.com/blog/openshift-authentication-integration-with-argocd
- https://cloud.redhat.com/blog/openshift-pipelines-and-openshift-gitops-are-now-generally-available