diff --git a/docs/assets/terminal.png b/docs/assets/terminal.png new file mode 100644 index 0000000000000..2e89ddc4f6726 Binary files /dev/null and b/docs/assets/terminal.png differ diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md index da4c9d5977871..ffade40b763c9 100644 --- a/docs/operator-manual/rbac.md +++ b/docs/operator-manual/rbac.md @@ -59,22 +59,7 @@ also use glob patterns in the action path: `action/*` (or regex patterns if you `exec` is a special resource. When enabled with the `create` action, this privilege allows a user to `exec` into Pods via the Argo CD UI. The functionality is similar to `kubectl exec`. -`exec` is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which -they have `create` privileges. If the Pod mounts a ServiceAccount token (which is the default behavior of Kubernetes), -then the user effectively has the same privileges as that ServiceAccount. - -The exec feature is disabled entirely by default. To enable it, set the `exec.enabled` key to "true" on the argocd-cm -ConfigMap. You will also need to add the following to the argocd-api-server Role (if you're using Argo CD in namespaced -mode) or ClusterRole (if you're using Argo CD in cluster mode). - -```yaml -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create -``` +See [Web-based Terminal](web_based_terminal.md) for more info. ## Tying It All Together diff --git a/docs/operator-manual/web_based_terminal.md b/docs/operator-manual/web_based_terminal.md new file mode 100644 index 0000000000000..74d1b93b30c92 --- /dev/null +++ b/docs/operator-manual/web_based_terminal.md @@ -0,0 +1,45 @@ +# Web-based Terminal + +![Argo CD Terminal](../assets/terminal.png) + +Since v2.4, Argo CD has a web-based terminal that allows you to get a shell inside a running pod just like you would with +`kubectl exec`. It's basically SSH from your browser, full ANSI color support and all! However, for security this feature +is disabled by default. + +This is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which +they have the `exec/create` privilege. If the Pod mounts a ServiceAccount token (which is the default behavior of +Kubernetes), then the user effectively has the same privileges as that ServiceAccount. + +## Enabling the terminal + +1. Set the `exec.enabled` key to `true` on the `argocd-cm` ConfigMap. + +2. Patch the `argocd-server` Role (if using namespaced Argo) or ClusterRole (if using clustered Argo) to allow `argocd-server` +to exec into pods +```yaml +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +``` + +3. Add RBAC rules to allow your users to `create` the `exec` resource, i.e. +``` +p, role:myrole, exec, create, */*, allow +``` + +See [RBAC Configuration](rbac.md#exec-resource) for more info. + +## Changing allowed shells + +By default, Argo CD attempts to execute shells in this order: + +1. bash +2. sh +3. powershell +4. cmd + +If none of the shells are found, the terminal session will fail. To add to or change the allowed shells, change the +`exec.shells` key in the `argocd-cm` ConfigMap, separating them with commas. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 47640bbbd489c..9468aa57fe1c3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,6 +44,7 @@ nav: - operator-manual/custom_tools.md - operator-manual/custom-styles.md - operator-manual/metrics.md + - operator-manual/web_based_terminal.md - Notification: - Overview: operator-manual/notifications/index.md - operator-manual/notifications/triggers.md