Overview
Managing RBAC at scale doesn't have to be painful.
Introduction
If you've ever managed ArgoCD in a multi-team environment, you know the challenge: each project needs its own set of permissions, users need to be organized into groups, and the RBAC ConfigMap grows increasingly complex. Manual management becomes error-prone and time-consuming.
This article introduces Argo CD RBAC Manager — an open-source tool that automates the entire workflow of creating Keycloak groups, generating RBAC policies, and managing user access for ArgoCD projects.
Technologies Used
Backend Stack
| Technology | Purpose | Version |
|---|---|---|
| Python 3.x | Core programming language | 3.8+ |
| Flask | Web framework for REST API | 2.x |
| Flask-CORS | Cross-Origin Resource Sharing support | - |
| Click | CLI framework for command-line interface | - |
| python-keycloak | Keycloak Admin API client | - |
| kubernetes | Official Kubernetes Python client | - |
| python-dotenv | Environment variable management | - |
| PyYAML | YAML parsing for kubeconfig | - |
Frontend Stack
| Technology | Purpose |
|---|---|
| React | UI framework |
| TypeScript | Type-safe JavaScript |
| Vite | Build tool & dev server |
| TailwindCSS | Utility-first CSS framework |
| Lucide React | Icon library |
| Axios | HTTP client for API calls |
Infrastructure & DevOps
| Technology | Purpose |
|---|---|
| Docker | Containerization |
| Docker Compose | Multi-container orchestration |
| Kubernetes | Production deployment platform |
| Nginx | Frontend static file serving |
| ArgoCD | GitOps continuous delivery |
| Keycloak | Identity and Access Management (IAM) |
Why These Technologies?
- Flask — Lightweight and perfect for REST APIs; easy to extend
- React + TypeScript — Modern, type-safe frontend development
- Keycloak — Industry-standard SSO solution with robust group management
- Kubernetes Python Client — Direct ConfigMap manipulation without shell commands
- Docker — Consistent deployment across environments
The Problem
In a typical enterprise setup with ArgoCD and Keycloak SSO, onboarding a new project requires:
- Creating Keycloak groups — Parent group + child groups for different roles (techleads, developers)
- Writing RBAC policies — Manually crafting policy.csv entries for each application
- Updating the ConfigMap — Applying changes to
argocd-rbac-cmwithout breaking existing policies - Assigning users — Adding team members to the correct groups
Multiply this by dozens of projects, and you have a maintenance nightmare.
The Solution: Argo CD RBAC Manager
This tool provides both a CLI and a Web UI to automate the entire process.
Architecture Overview
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ │ │ │ │ │
│ Web UI │────▶│ Flask API │────▶│ Keycloak │
│ (Frontend) │ │ (Backend) │ │ (SSO/Groups) │
│ │ │ │ │ │
└─────────────────┘ └────────┬─────────┘ └─────────────────┘
│
▼
┌──────────────────┐
│ │
│ Kubernetes │
│ (argocd-rbac-cm)│
│ │
└──────────────────┘
Key Features
| Feature | Description |
|---|---|
| Automated Group Creation | Creates parent + child groups in Keycloak with proper hierarchy |
| RBAC Policy Generation | Generates standardized policies based on role templates |
| Safe ConfigMap Updates | Appends policies without overwriting existing rules |
| Dry-Run Mode | Preview changes before applying them |
| User Management | Add/remove users from groups via API or UI |
| Backup Support | Creates ConfigMap backups before modifications |
How It Works
1. Group Naming Convention
When you create a project (e.g., my-app), the tool automatically creates:
my-app/ # Parent group
├── Techleads-my-app # Full access (except delete)
└── Developpers-my-app # Read-only + logs
2. Role Templates
The tool uses predefined role templates:
Techleads — Full access except delete:
p, role:my-app-techleads, applications, get, my-app/*, allow
p, role:my-app-techleads, applications, update, my-app/*, allow
p, role:my-app-techleads, applications, sync, my-app/*, allow
p, role:my-app-techleads, applications, action/*, my-app/*, allow
p, role:my-app-techleads, logs, get, my-app/*, allow
p, role:my-app-techleads, exec, create, my-app/*, allow
p, role:my-app-techleads, projects, get, my-app, allow
Developers — Read-only with logs access:
p, role:my-app-developers, applications, get, my-app/*, allow
p, role:my-app-developers, logs, get, my-app/*, allow
p, role:my-app-developers, exec, create, my-app/*, allow
p, role:my-app-developers, projects, get, my-app, allow
3. Group-to-Role Mapping
The tool automatically creates the Keycloak group-to-ArgoCD role mapping:
g, Techleads-my-app, role:my-app-techleads
g, Developpers-my-app, role:my-app-developers
Usage Examples
CLI Usage
Complete project setup:
python argocd-rbac-manager.py setup-project \
--project my-app \
--applications "frontend,backend,database" \
--techleads "john.doe,jane.smith" \
--developers "dev1,dev2,dev3" \
--namespace my-app-namespace
Create groups only:
python argocd-rbac-manager.py create-groups --project my-app
Update RBAC only:
python argocd-rbac-manager.py update-rbac \
--project my-app \
--applications "frontend,backend"
Dry-run mode (preview changes):
python argocd-rbac-manager.py setup-project \
--project my-app \
--applications "app1,app2" \
--dry-run
API Usage
Setup a new project:
curl -X POST http://localhost:8000/api/projects/setup \
-H "Content-Type: application/json" \
-d '{
"project": "my-app",
"applications": ["frontend", "backend"],
"techleads": ["john.doe"],
"developers": ["dev1", "dev2"],
"namespace": "my-app",
"dry_run": false
}'
List all Keycloak groups:
curl http://localhost:8000/api/groups/list
Add users to a group:
curl -X POST http://localhost:8000/api/users/add \
-H "Content-Type: application/json" \
-d '{
"project": "my-app",
"group": "developers",
"users": ["new-dev1", "new-dev2"]
}'
Deployment Options
Option 1: Docker (Recommended)
# Configure environment
cp .env.docker .env
vim .env
# Build and run
make build
make run
Access points:
- Frontend: http://localhost:3000
- Backend API: http://localhost:8000/docs
Option 2: Local Development
# Install dependencies
pip install -r requirements.txt
# Start backend
./run.sh
# Start web UI (separate terminal)
./start-web-ui.sh
Option 3: Kubernetes Deployment
kubectl apply -f docker/k8s-deployment.yml
Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
KEYCLOAK_URL |
Keycloak server URL | Required |
KEYCLOAK_REALM |
Keycloak realm name | argocd |
KEYCLOAK_ADMIN_USER |
Admin username | Required* |
KEYCLOAK_ADMIN_PASSWORD |
Admin password | Required* |
KEYCLOAK_TOKEN |
API token (alternative to user/pass) | Optional |
K8S_NAMESPACE |
ArgoCD namespace | argo |
KUBECONFIG |
Path to kubeconfig | ./kubeconfig.yaml |
*Required if KEYCLOAK_TOKEN is not provided.
Example .env file
KEYCLOAK_URL=https://keycloak.example.com
KEYCLOAK_REALM=argocd
KEYCLOAK_ADMIN_USER=admin
KEYCLOAK_ADMIN_PASSWORD=secret
K8S_NAMESPACE=argo
KUBECONFIG=./kubeconfig.yaml
Security Considerations
- Never hardcode credentials — Use environment variables or secrets management
- Use token-based authentication — Preferred over username/password for production
- Limit RBAC scope — The tool only grants permissions to specified applications
- Backup before changes — Always use dry-run mode first, backups are created automatically
- Audit trail — All changes are logged for compliance
Project Structure
manage-role-argo/
├── app.py # Flask Web UI & API
├── argocd-rbac-manager.py # Core logic & CLI
├── requirements.txt # Python dependencies
├── docker/ # Docker configurations
│ ├── Dockerfile.backend
│ ├── Dockerfile.frontend
│ └── docker-compose.yml
├── k8s/ # Kubernetes manifests
├── templates/ # HTML templates
└── static/ # Static assets
Extending the Tool
Adding Custom Role Templates
Modify the generate_rbac_policy() method in argocd-rbac-manager.py:
def generate_rbac_policy(self, project: str, applications: List[str],
project_namespace: Optional[str] = None) -> str:
# Add your custom role logic here
# Example: Add a "read-only" role
policy_lines.append(f"g, {group_names['readonly']}, role:{normalized}-readonly")
policy_lines.append(f"p, role:{normalized}-readonly, applications, get, {app_path}, allow")
Adding New API Endpoints
Add new routes in app.py:
@app.route('/api/custom/endpoint', methods=['POST'])
def custom_endpoint():
# Your custom logic
return jsonify({'success': True})
Troubleshooting
Common Issues
1. Keycloak connection failed
Error: Failed to connect to Keycloak
→ Verify KEYCLOAK_URL, credentials, and network connectivity.
2. Kubernetes connection failed
Error: Failed to connect to Kubernetes
→ Check KUBECONFIG path and cluster accessibility.
3. ConfigMap not found
Error: ConfigMap 'argocd-rbac-cm' not found
→ Ensure ArgoCD is installed and the namespace is correct.
4. Groups already exist
Warning: Groups already exist for project 'my-app'
→ This is informational; the tool skips existing groups.
Conclusion
Managing ArgoCD RBAC in a multi-tenant environment doesn't have to be a manual, error-prone process. The Argo CD RBAC Manager automates the entire workflow:
- ✅ Consistent group structure across all projects
- ✅ Standardized RBAC policies based on role templates
- ✅ Safe updates with dry-run and backup support
- ✅ Flexible deployment via Docker, Kubernetes, or local setup
Whether you're managing 5 projects or 500, this tool scales with your needs while reducing human error.
