Merge pull request #47457 from DebarghoGhosh/cluster-configuration-3817

RHDEVDOCS-3817 - Added cluster permission management

Author: JStickler

cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc

@@ -20,3 +20,7 @@ include::modules/gitops-creating-an-application-by-using-the-argo-cd-dashboard.a
 include::modules/gitops-creating-an-application-by-using-the-oc-tool.adoc[leveloffset=+1]
 
 include::modules/gitops-synchronizing-your-application-application-with-your-git-repository.adoc[leveloffset=+1]
+
+include::modules/gitops-inbuilt-permissions-for-cluster-config.adoc[leveloffset=+1]
+
+include::modules/gitops-additional-permissions-for-cluster-config.adoc[leveloffset=+1]

modules/gitops-additional-permissions-for-cluster-config.adoc

@@ -0,0 +1,54 @@
+// Module included in the following assembly:
+//
+// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
+
+:_content-type: PROCEDURE
+[id="gitops-additional-permissions-for-cluster-config_{context}"]
+= Adding permissions for cluster configuration
+
+You can grant permissions for an Argo CD instance to manage cluster configuration. Create a cluster role with additional permissions and then create a new cluster role binding to associate the cluster role with a service account. 
+
+.Procedure
+
+. Log in to the {product-title} web console as an admin.
+. In the wev console, select **User Management** -> **Roles** -> **Create Role**. Use the following `ClusterRole` YAML template to add rules to specify the additional permissions.
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: secrets-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+----
+. Click **Create** to add the cluster role.  
+. Now create the cluster role binding. In the web console, select **User Management** -> **Role Bindings** -> **Create Binding**.
+. Select **All Projects** from the **Project** drop-down.
+. Click **Create binding**.
+. Select **Binding type** as **Cluster-wide role binding (ClusterRoleBinding)**.
+. Enter a unique value for the **RoleBinding name**.
+. Select the newly created cluster role or an existing cluster role from the drop down list.
+. Select the **Subject** as **ServiceAccount** and the provide the **Subject namespace** and **name**.
+.. **Subject namespace**: `openshift-gitops`
+.. **Subject name**: `openshift-gitops-argocd-application-controller`
+. Click **Create**. The YAML file for the `ClusterRoleBinding` object is as follows:
++
+[source,yaml]
+----
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: openshift-gitops-argocd-application-controller
+    namespace: openshift-gitops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+----
+

modules/gitops-inbuilt-permissions-for-cluster-config.adoc

@@ -0,0 +1,25 @@
+// Module included in the following assembly:
+//
+// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
+
+:_content-type: REFERENCE
+[id="gitops-inbuilt-permissions-for-cluster-config_{context}"]
+= In-built permissions for cluster configuration
+
+By default, the Argo CD instance has permissions to manage specific cluster-scoped resources such as platform Operators, optional OLM Operators and user management. 
+
+[NOTE]
+====
+Argo CD does not have cluster-admin permissions.
+====
+
+Permissions for the Argo CD instance:
+|===
+|**Resources** |**Descriptions**
+|Resource Groups | Configure the user or administrator
+|`operators.coreos.com` | Optional Operators managed by OLM
+|`user.openshift.io` , `rbac.authorization.k8s.io`    | Groups, Users and their permissions
+|`config.openshift.io` | Control plane Operators managed by CVO used to configure cluster-wide build configuration, registry configuration and scheduler policies
+|`storage.k8s.io`   | Storage
+|`console.openshift.io`    | Console customization
+|===