权限验证

  少于1分钟  

简要概述

用户在登录 UI 后,可以支持 RBAC 权限控制,否则默认登录成功没有权限隔离。

配置示例

应用 “argo-server” 启动参数

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argo-server
spec:
  selector:
    matchLabels:
      app: argo-server
  template:
    metadata:
      labels:
        app: argo-server
    spec:
      containers:
      - args:
        - server
        - "--auth-mode=sso"
        - "--secure=false"
        env:
        - name: SSO_DELEGATE_RBAC_TO_NAMESPACE
          value: "true"
......

控制器 “workflow-controller” ConfigMap

添加关键 “rbac.enabled: true” 开启,如:

apiVersion: v1
kind: ConfigMap
metadata:
  name: workflow-controller-configmap
data:
  sso: |
    ......
    scopes:
    - groups
    - email
    rbac:
      enabled: true
    ......

创建 argo 空间 sa 账号

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: biz-test-uptime-readwrite-limq
  namespace: argo
  annotations:
    workflows.argoproj.io/rbac-rule: "email == 'admin@example.com'"
    workflows.argoproj.io/rbac-rule-precedence: "1"
secrets:
- name: biz-test-uptime-readwrite-limq

---
apiVersion: v1
kind: Secret
metadata:
  name: biz-test-uptime-readwrite-limq
  namespace: argo
  annotations:
    kubernetes.io/service-account.name: biz-test-uptime-readwrite-limq
type: kubernetes.io/service-account-token

当通过 UI 使用 OIDC 登录成功后,后端服务 “argo-server” 在对应的部署空间内查找 “ServiceAccount” 账号。

以上规则,当 JWT 中 “email” 属性值为 “admin@example.com” 则对应 “biz-test-uptime-readwrite-limq” 账号。

创建运行工作流空间角色绑定

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-readwrite
  namespace: biz-test-uptime
rules:
- apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  - workfloweventbindings
  - workfloweventbindings/finalizers
  - workflowtemplates
  - workflowtemplates/finalizers
  - cronworkflows
  - cronworkflows/finalizers
  - clusterworkflowtemplates
  - clusterworkflowtemplates/finalizers
  - workflowtaskresults
  - workflowtaskresults/finalizers
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-readwrite
  namespace: biz-test-uptime
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-readwrite
subjects:
- kind: ServiceAccount
  name: biz-test-uptime-readwrite-limq
  namespace: argo

参考角色

只读权限

TODO;

读写权限

TODO;



最后修改 2025.05.03: chore: 开发 argo workflow 一些内容 (7e2486e)