복사 apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
# 기본 정책 (인증된 사용자에게 적용)
policy.default: role:readonly
# CSV 형식 정책
policy.csv: |
# 내장 역할 정의
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
# 관리자 역할
p, role:admin, applications, *, */*, allow
p, role:admin, applicationsets, *, */*, allow
p, role:admin, clusters, *, *, allow
p, role:admin, repositories, *, *, allow
p, role:admin, projects, *, *, allow
p, role:admin, accounts, *, *, allow
p, role:admin, certificates, *, *, allow
p, role:admin, gpgkeys, *, *, allow
p, role:admin, logs, get, */*, allow
p, role:admin, exec, create, */*, allow
# 개발자 역할
p, role:developer, applications, get, */*, allow
p, role:developer, applications, sync, */*, allow
p, role:developer, applications, action/*, */*, allow
p, role:developer, logs, get, */*, allow
# 프로젝트별 관리자
p, role:frontend-admin, applications, *, frontend/*, allow
p, role:frontend-admin, logs, get, frontend/*, allow
p, role:backend-admin, applications, *, backend/*, allow
p, role:backend-admin, logs, get, backend/*, allow
# 그룹 바인딩
g, admin@example.com, role:admin
g, platform-team, role:admin
g, developers, role:developer
g, frontend-team, role:frontend-admin
g, backend-team, role:backend-admin
g, viewers, role:readonly
# 스코프 (OIDC 그룹 클레임)
scopes: '[groups, email]'