argo scopes reduced
This commit is contained in:
@@ -12,13 +12,11 @@ data:
|
|||||||
# If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
|
# If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
|
||||||
clientSecret: $argocd-oauth:client-secret
|
clientSecret: $argocd-oauth:client-secret
|
||||||
|
|
||||||
skipAudienceCheckWhenTokenHasNoAudience: true
|
|
||||||
|
|
||||||
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
|
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
|
||||||
requestedScopes: ["openid", "profile", "email", "groups"]
|
requestedScopes: ["openid", "profile", "email", "groups"]
|
||||||
|
|
||||||
# Optional set of OIDC claims to request on the ID token.
|
# Optional set of OIDC claims to request on the ID token.
|
||||||
requestedIDTokenClaims: {"groups": {"essential": true}}
|
requestedIDTokenClaims: {"groups": {"essential": true}}
|
||||||
allowedAudiences:
|
|
||||||
- argocd
|
|
||||||
|
|
||||||
@@ -6,4 +6,6 @@ data:
|
|||||||
policy.csv: |
|
policy.csv: |
|
||||||
# use oidc group apps_admin as admin group in argocd
|
# use oidc group apps_admin as admin group in argocd
|
||||||
g, apps_admin, role:admin
|
g, apps_admin, role:admin
|
||||||
policy.default: role:readonly
|
g, argocd, role:readonly
|
||||||
|
# all other user that might have entered via oidc, are blocked: deny everything
|
||||||
|
policy.default: deny
|
||||||
|
|||||||
Reference in New Issue
Block a user