apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    # use oidc group apps_admin as admin group in argocd
    g, apps_admin, role:admin
    g, argocd, role:readonly
  # all other user that might have entered via oidc, are blocked: deny everything
  policy.default: deny