gitops-creating-aggregated-cluster-roles.adoc

Creating aggregated cluster roles

The process of creating aggregated cluster roles consists of the following procedures:

1. Enabling the creation of aggregated cluster roles

2. Creating user-defined cluster roles and configuring user-defined permissions for Application Controller

Enable the creation of aggregated cluster roles

You can enable the creation of aggregated cluster roles by setting the value of the .spec.aggregatedClusterRoles field to true in the Argo CD custom resource (CR). When you enable the creation of aggregated cluster roles, the {gitops-title} Operator takes the following actions:

• Creates an <argocd_name>-<argocd_namespace>-argocd-application-controller aggregated cluster role with a predefined aggregationRule field by default.

• Creates a corresponding cluster role binding and manages it.

• Creates and manages view and admin cluster roles for Application Controller to add user-defined permissions into the aggregated cluster role.

Create user-defined cluster roles and configure user-defined permissions

To configure user-defined permissions into the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role and aggregated cluster role, you must create one or more user-defined cluster roles with the argocd/aggregate-to-admin: 'true' label and then configure the user-defined permissions for Application Controller.

Note

The aggregated cluster role inherits permissions from the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin and <argocd_name>-<argocd_namespace>-argocd-application-controller-view cluster roles. The <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role inherits permissions from the user-defined cluster role.