By default when creating a new local user, all users have no access (or will take the default policy specified in the argocd-rbac-cm configmap) and will need to be assigned additional RBAC roles.
It’s recommended to disable admin user as based in the docs asap
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
admin.enabled: "false"
Each user might have two capabilities: apiKey and login. To create a new user in ArgoCD, patch or edit the argocd-cm configmap’s data
kubectl -n argocd patch configmap argocd-cm --patch='{"data":{"accounts.<name>": "apiKey,login"}}'
or add the following below using kubectl -n argocd edit configmap argocd-cm
data:
accounts.alice: apiKey,login
kind: ConfigMap
RBAC policies are stored in argocd-rbac-cm configmap where roles can be assigned to users. By default there is an admin role and readonly role. Parameters differ when specifying whether for an application or non-application specific resources.
To add a role for a user, patch or edit the file
kubectl -n argocd patch configmap argocd-rbac-cm --patch='{"data":{"policy.csv":"p, role:create-app, applications, create, *, allow\\ng, ibrahim, role:create-app"}}'
or use the command kubectl -n argocd edit configmap argocd-rbac-cm then add the data
data:
policy.csv: |-
p, role:create-app, applications, create, *, allow
g, ibrahim, role:create-app
kind: ConfigMap
Note: users with just this role cannot see what they created or the resources while creating the app, they’ll need additional permissions
# update password for a user
argocd account update-password --account <username>
argocd account update-password --account <username> --new-password <new_pass> --current-password <current_pass>
# to check as logged in user have permission
argocd account can-i delete applications '*'
# get all users
argocd account list
# generate auth token for user
argocd account generate-token --account <username>
# check permission on certain action
argocd account can-i <action> <resource> '*'