Rizki Sasri Dwitama
Datascience

ArgoCD: Security and Authentication

Role-Based Access Control (RBAC) in ArgoCD

ArgoCD implements RBAC (Role-Based Access Control) to manage user permissions effectively.

Creating a Custom Role for Developers

Define a developer role with limited access rights:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    g, alice, role:developer

Apply the configuration:

kubectl apply -f argocd-rbac.yaml

This grants Alice read and sync permissions on all applications.

Authentication and Authorization Mechanisms

Local User Authentication

ArgoCD supports local user authentication via secrets. Example:

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
data:
  admin.password: <hashed-password>

Enabling OIDC Authentication with GitHub

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://argocd.example.com
  oidc.config: |
    name: GitHub
    issuer: https://github.com/login/oauth
    clientID: <client-id>
    clientSecret: <client-secret>

Apply changes:

kubectl apply -f argocd-auth.yaml

This allows users to log in using GitHub OAuth.

Securing ArgoCD Deployments

Enabling TLS Encryption

kubectl create secret tls argocd-tls --cert=cert.pem --key=key.pem -n argocd

This encrypts traffic between ArgoCD and its users.

Restricting Access with Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: argocd-restrict
  namespace: argocd
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: trusted-app

Apply network policy:

kubectl apply -f argocd-networkpolicy.yaml

This limits access to ArgoCD only to trusted applications.

Integrating ArgoCD with External Identity Providers (OIDC, LDAP, SAML)

Configuring LDAP Authentication

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  dex.config: |
    connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: ldap://ldap.example.com:389
        userSearch:
          baseDN: ou=users,dc=example,dc=com
          filter: "(objectClass=posixAccount)"
        groupSearch:
          baseDN: ou=groups,dc=example,dc=com

Apply LDAP configuration:

kubectl apply -f argocd-ldap.yaml

This enables ArgoCD to authenticate users against an LDAP directory.

Hands-On Exercise

  1. Configure RBAC roles for restricted access.
  2. Enable OIDC authentication with GitHub or Google.
  3. Apply TLS encryption to secure ArgoCD.
  4. Implement network policies to restrict external access.

By securing ArgoCD properly, you ensure only authorized users can access and manage deployments, reducing security risks in Kubernetes environments.

Prev
Jenkins: Advanced Techniques
Next
K3S: Networking and Service Discovery