31 lines
1.0 KiB
YAML
31 lines
1.0 KiB
YAML
# ------------------------------------------------------------------------------
|
|
# argocd-rbac-cm — RBAC Policy
|
|
#
|
|
# Maps Authentik groups to ArgoCD roles.
|
|
# Groups must exist in Authentik and be assigned to users there.
|
|
#
|
|
# Roles:
|
|
# role:admin — full access, all operations
|
|
# role:readonly — read-only, can view but not sync/modify
|
|
#
|
|
# Single-user homelab: your user should be in argocd-admins in Authentik.
|
|
# Add argocd-viewers later when you have guests/collaborators.
|
|
# ------------------------------------------------------------------------------
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: argocd-rbac-cm
|
|
namespace: argocd
|
|
data:
|
|
# Default policy for any authenticated user not in a mapped group
|
|
# readonly is safe — they can see but not touch
|
|
policy.default: role:readonly
|
|
|
|
policy.csv: |
|
|
# Authentik group → ArgoCD role mappings
|
|
g, argocd-admins, role:admin
|
|
g, argocd-viewers, role:readonly
|
|
|
|
# Tell ArgoCD which OIDC claims to use for group mapping
|
|
scopes: '[groups, email]'
|