GitOps the Hard Way, with Argo CD

Verify the Grant Resolved

Do not assume the policy means what you think. Verify it with argocd admin settings rbac can. This command takes the same fields as a p line and prints Yes or No depending on whether the subject has that permission under the current policy. The --namespace argocd flag tells it to read the live argocd-rbac-cm ConfigMap.

Here are three checks against the policy we applied.

Can alice sync an app in team-alpha?

argocd admin settings rbac can alice sync applications 'team-alpha/my-app' --namespace argocd

Prints Yes. alice is in role:team-alpha-dev, which has a p line allowing sync on team-alpha/*.

Can alice view todo-app in the default project?

argocd admin settings rbac can alice get applications 'default/todo-app' --namespace argocd

Prints Yes. alice is not granted this by any role she is in; role:team-alpha-dev only covers team-alpha. She gets it from policy.default: role:readonly, the fallback every authenticated user receives.

Can alice sync todo-app in the default project?

argocd admin settings rbac can alice sync applications 'default/todo-app' --namespace argocd

Prints No. Nothing grants it. role:team-alpha-dev allows sync only on team-alpha/*, and role:readonly allows no sync at all. There is no deny line involved: RBAC denies by default whenever no allow matches.

You can now log in as alice and confirm the policy holds in the UI. She sees todo-app in the default project and can open it, but the Sync button returns a permission error: policy.default: role:readonly lets her view, nothing grants her sync on default. Log in as admin on the same app for contrast: the superuser can sync it, which proves the restriction is real for alice and not a UI glitch.

That covers one subject and one project. To exercise the rest of the policy, create the missing pieces.