# ------------------------------------------------------------------------------ # argocd-rbac-cm — RBAC Policy # # Maps Authentik groups to ArgoCD roles. # Groups must exist in Authentik and be assigned to users there. # # Roles: # role:admin — full access, all operations # role:readonly — read-only, can view but not sync/modify # # Single-user homelab: your user should be in argocd-admins in Authentik. # Add argocd-viewers later when you have guests/collaborators. # ------------------------------------------------------------------------------ apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm namespace: argocd data: # Default policy for any authenticated user not in a mapped group # readonly is safe — they can see but not touch policy.default: role:readonly policy.csv: | # Authentik group → ArgoCD role mappings g, argocd-admins, role:admin g, argocd-viewers, role:readonly # Tell ArgoCD which OIDC claims to use for group mapping scopes: '[groups, email]'