VKS Supervisor Service Argo CD group-based role assignment not working
search cancel

VKS Supervisor Service Argo CD group-based role assignment not working

book

Article ID: 436216

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

You configure the vSphere Kubernetes Service (VKS) Argo CD supervisor service to grant roles based off of users' group membership but the users are not receiving the specified role.

Symptoms:

  • Group-based Role-Based Access Control (RBAC) does not work as intended
  • Administrators must manually map individual UUIDs to roles to grant permissions
  • Authentication succeeds, but users have no permissions (Role: None)

Environment

vSphere Kubernetes Service

Cause

The issue occurs because Argo CD is not explicitly requesting the group_names claim from the Identity Broker during the OIDC handshake. By default, OIDC returns the sub (Subject) claim as the unique identifier, which in many modern identity providers is a non-human-readable UUID. Without the group_names scope and claim mapping, Argo CD cannot identify the user's group memberships to apply RBAC policies.

Resolution

To resolve this issue, update the Argo CD configuration to request the group_names claim and map it to the RBAC scopes.

Step 1: Update ArgoCD Operator Configuration


Modify the Argo CD custom resource (CR) to include the specific claims and scopes required by the Identity Broker:

kubectl edit argocd argocd -n <ARGOCD_NAMESPACE>


Add the group_names attribute to requestedIDTokenClaims and group_names to the scopes attribute:

...
spec:
  enableLoadBalancer: true
  oidc:
    clientID: <CLIENT_ID>
    clientSecret: <CLIENT_SECRET>
    enabled: true
    insecure: true
    issuer: <ISSUER_URL>
    requestedIDTokenClaims:
      group_names:
        essential: true
    requestedScopes:
      - openid
      - group
      - profile
      - email
  rbac:
    scopes: '[group_names]'
    policy: |
      g, <GROUP_NAME>, role:admin
...


Step 2: Restart the Argo CD Server


Restart the Argo CD server deployment to ensure the changes take effect:

kubectl rollout restart deployment argocd-server -n <ARGOCD_NAMESPACE>


Step 3: Verify Claims Mapping

  1. Clear your browser cache or use an Incognito window.
  2. Log in to Argo CD via the Identity Broker.
  3. Check the user info in the Argo CD UI or via CLI to confirm the username and group memberships are now correctly populated. If you're granting a user the role of admin, you can attempt to create a project by going to Settings > Project > New Project. If project creation is successful, the admin role was successfully applied.
Powered by Wolken Software