Open-Source Wikis

/

Argo CD

/

Features

/

SSO and RBAC

argoproj/argo-cd

SSO and RBAC

Argo CD has two orthogonal authorization layers: the API authentication layer (who you are) and the RBAC layer (what you can do). They are wired together inside argocd-server.

Authentication

graph LR
    User --> CLI[argocd CLI]
    User --> Browser[Web UI]
    CLI --> Login[argocd login - util/session]
    Browser --> OIDC[OIDC flow - util/oidc]
    OIDC --> Dex[Dex bridge - argocd-dex]
    OIDC --> External[External IdP]
    Login --> JWT[JWT signed with server secret]
    OIDC --> JWT
    JWT --> API[(argocd-server requests)]

The API server accepts authentication in three modes:

  • Local accounts. Defined in argocd-cm (accounts.<name>: apiKey, login) with passwords in argocd-secret. The "admin" account is the bootstrap user. Code: server/account/, util/password/, util/session/.
  • OIDC SSO via Dex. argocd-dex brokers an external IdP. The API server's OIDC consumer is util/oidc/oidc.go. Templates for consent/error pages live in util/oidc/templates.go.
  • Direct OIDC (no Dex). Configure oidc.config in argocd-cm and the API server will talk to the IdP directly. Both code paths share util/oidc/oidc.go.
  • Project tokens. JWTs scoped to an AppProject role. Issued by argocd proj role create-token (cmd/argocd/commands/project_role.go).

Tokens are JWTs signed with a per-server secret; verification is in util/jwt/. Sessions and password handling are in util/session/ and util/password/.

RBAC

Argo CD uses Casbin as the policy engine. The integration code is util/rbac/rbac.go and the API-server-side enforcer is in server/rbacpolicy/.

The policy lives in argocd-rbac-cm and supports:

  • Built-in roles (role:admin, role:readonly, role:none).
  • Custom roles (p, role:dev, applications, get, */*, allow).
  • Group bindings (g, my-org:devs, role:dev).
  • Per-project roles (p, role:my-project-role, applications, sync, my-project/*, allow).

The enforcer evaluates (subject, resource, action, object) tuples. The subject is derived from the JWT's sub and groups claims. Common resources: applications, applicationsets, projects, repositories, clusters, accounts, gpgkeys, certificates, logs, exec, extensions.

Project roles and AppProjects

AppProject adds a tenant boundary. Its spec includes:

  • sourceRepos — globs of allowed source URLs.
  • destinations — allowed destination clusters/namespaces.
  • clusterResourceWhitelist/namespaceResourceWhitelist — allowed Kubernetes resource kinds.
  • roles[] — project-scoped Casbin policies with optional JWT tokens.

Code: pkg/apis/application/v1alpha1/app_project_types.go, server/project/, cmd/argocd/commands/project.go/project_role.go/projectwindows.go.

Sync windows

AppProject.spec.syncWindows lets operators pause/resume syncing on a schedule. Implementation: cmd/argocd/commands/projectwindows.go and the controller's sync evaluation in controller/sync.go and controller/state.go.

Application-level authentication

Applications themselves can carry an applicationset.spec.template.spec.destination.serviceAccountName (in v3) so the apply runs under a specific SA — see util/clusterauth/ and the argo.go resource-tracking helpers in util/argo/. Impersonation is implemented in util/settings/impersonation.go.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

SSO and RBAC – Argo CD wiki | Factory