Bei der Einrichtung eines Android-Smartphones kann der Anwender künftig aus bis zu drei Alternativen zur Google-Suche wählen. Für die entsprechenden Plätze hat die Konkurrenz an Google gezahlt. Einige Wettbewerber halten das für unfair. (Google, Browser)
Quelle: Golem
Von Nvidia gibt es Quake 2 RTX, eine Raytracing-Version des Shooters. Wir haben uns das Hyperblaster-Gewehr und allerhand Geforce-Grafikkarten geschnappt, um zu prüfen, was es für Quake 2 RTX braucht. Ein Test von Marc Sauter (Quake, Grafikhardware)
Quelle: Golem
Pioneer hat ein Autodisplay zum Nachrüsten vorgestellt, das Apples Wireless Carplay und Android Auto Wireless unterstützt, 10,1 Zoll groß ist und eine 720p-Auflösung bietet. (Pioneer, Technologie)
Quelle: Golem
Renault fürchtet, dass Elektroautos mit Dacia-Emblem für Kunden der Marke zu teuer seien. Deshalb setzt das Unternehmen bei Dacia auf einen Autogasantrieb. (Elektroauto, Technologie)
Quelle: Golem
Lovot ist ein Kofferwort aus Love und Robot: Der knuffige japanische Roboter soll positive Emotionen auslösen – und tut das auch. Selten haben wir so oft “Ohhhhhhh!” gehört. Ein Hands on von Tobias Költzsch (CES 2020, Roboter)
Quelle: Golem
Mark your calendars for Google’s largest event, Google Cloud Next ’20, happening April 6-8, 2020 at the Moscone Center in San Francisco. Register by February 29, 2020 with the code GRPABLOG2020 and you will receive $500 USD off a full-price ticket. Google Cloud Next brings together a global cloud community of leaders, developers, influencers, and more to help you get inspired and solve your most pressing business challenges, including: What are the latest security strategies to help me keep pace with evolving threats? How can I improve my data analytics strategies with new AI or ML technologies?How and when should I migrate my VMs?How can I develop apps once and deploy on any cloud?How can I increase productivity and collaboration inside my organization?Solutions to these challenges, and many more, will be showcased over the course of three days through more than 500 sessions, labs, and training opportunities at Google Cloud Next.Explore dynamic content across all learning levels. Dive deep into technologies and solutions spanning the Google Cloud portfolio through breakout sessions, our Dev Zone, code labs, demos, hands-on training, and more. Plus, you’ll be able to meet more than 370 ecosystem partners to see how they’re innovating on Google Cloud with their customers.Last year at Next ’19, we were grateful that so many of you joined us at our sold out event. Take a look at our recap posts (Day 1, Day 2, and Day 3) for a preview of what you can expect in April. Since our 122+ announcements at Next ’19, we’ve been hard at work on more product announcements, customer success stories, and news announcements to share with you this April.If you’re a partner or at premier level in Partner Advantage, and interested in becoming a sponsor Next ‘20, please contact us.We’re committed to creating an accessible, scalable, and socially responsible cloud together, and would be thrilled to have you at this year’s event.
Quelle: Google Cloud Platform
When you’re getting started with a machine learning (ML) project, one critical principle to keep in mind is that data is everything. It is often said that if ML is the rocket engine, then the fuel is the (high-quality) data fed to ML algorithms. However, deriving truth and insight from a pile of data can be a complicated and error-prone job. To have a solid start for your ML project, it always helps to analyze the data up front, a practice that describes the data by means of statistical and visualization techniques to bring important aspects of that data into focus for further analysis. During that process, it’s important that you get a deep understanding of: The properties of the data, such as schema and statistical properties;The quality of the data, like missing values and inconsistent data types;The predictive power of the data, such as correlation of features against target.This process lays the groundwork for the subsequent feature selection and engineering steps, and it provides a solid foundation for building good ML models. There are many different approaches to conducting exploratory data analysis (EDA) out there, so it can be hard to know what analysis to perform and how to do it properly. To consolidate the recommendations on conducting proper EDA, data cleaning, and feature selection in ML projects, we’ll summarize and provide concise guidance from both intuitive (visualization) and rigorous (statistical) perspectives. Based on the results of the analysis, you can then determine corresponding feature selection and engineering recommendations. You can also get more comprehensive instructions in this white paper.You can also check out the Auto Data Exploration and Feature Recommendation Tool we developed to help you automate the recommended analysis, regardless of the scale of the data, then generate a well-organized report to present the findings. EDA, feature selection, and feature engineering are often tied together and are important steps in the ML journey. With the complexity of data and business problems that exist today (such as credit scoring in finance and demand forecasting in retail), how the results of proper EDA can influence your subsequent decisions is a big question. In this post, we will walk you through some of the decisions you’ll need to make about your data for a particular project, and choosing which type of analysis to use, along with visualizations, tools, and feature processing.Let’s start exploring the types of analysis you can choose from. Statistical data analysisWith this type of analysis, data exploration can be conducted from three different angles: descriptive, correlation, and contextual. Each type introduces complementary information on the properties and predictive power of the data, helping you make an informed decision based on the outcome of the analysis.1. Descriptive analysis (univariate analysis)Descriptive analysis, or univariate analysis, provides an understanding of the characteristics of each attribute of the dataset. It also offers important evidence for feature preprocessing and selection in a later stage. The following table lists the suggested analysis for attributes that are common, numerical, categorical and textual.Click to enlarge2. Correlation analysis (bivariate analysis)Correlation analysis (or bivariate analysis) examines the relationship between two attributes, say X and Y, and examines whether X and Y are correlated. This analysis can be done from two perspectives to get various possible combinations:Qualitative analysis. This performs computation of the descriptive statistics of dependent numerical/categorical attributes against each unique value of the independent categorical attribute. This perspective helps intuitively understand the relationship between X and Y. Visualizations are often used together with qualitative analysis as a more intuitive way of presenting the result.Click to enlargeQuantitative analysis. This is a quantitative test of the relationship between X and Y, based on hypothesis testing framework. This perspective provides a formal and mathematical methodology to quantitatively determine the existence and/or strength of the relationship.Click to enlarge3. Contextual analysisDescriptive analysis and correlation analysis are both generic enough to be performed on any structured dataset, neither of which requires context information. To further understand or profile the given dataset and to gain more domain-specific insights, you can use one of two common contextual information-based analyses: Time-based analysis: In many real-world datasets, the timestamp (or a similar time-related attribute) is one of the key pieces of contextual information. Observing and/or understanding the characteristics of the data along the time dimension, with various granularities, is essential to understanding the data generation process and ensuring data qualityAgent-based analysis: As an alternative to the time, the other common attribute is the unique identification (ID, such as user ID) of each record. Analyzing the dataset by aggregating along the agent dimension, i.e., histogram of number of records per agent, can further help improve your understanding of the dataset. Example of time-based analysis:The following figure displays the average number of train trips per hour originating from and ending at one particular location based on a simulated dataset.From this, we can conclude that peak times are around 8:30am and 5:30pm, which is consistent with the intuition that these are the times when people would typically leave home in the morning and return after a day of work.Feature selection and engineeringThe ultimate goal of EDA (whether rigorous or through visualization) is to provide insights on the dataset you’re studying. This can inspire your subsequent feature selection, engineering, and model-building process. Descriptive analysis provides the basic statistics of each attribute of the dataset. Those statistics can help you identify the following issues: High percentage of missing valuesLow variance of numeric attributesLow entropy of categorical attributesImbalance of categorical target (class imbalance)Skew distribution of numeric attributesHigh cardinality of categorical attributesThe correlation analysis examines the relationship between two attributes. There are two typical action points triggered by the correlation analysis in the context of feature selection or feature engineering:Low correlation between feature and targetHigh correlation between featuresOnce you’ve identified issues, the next task is to make a sound decision on how to properly mitigate these issues. One such example is for “High percentage of missing values.” The identified problem is that the attribute is missing in a significant proportion of the data points. The threshold or definition of “significant” can be set based on domain knowledge. There are two options to handle this, depending on the business scenario:Assign a unique value to the missing value records, if the missing value, in certain contexts, is actually meaningful. For example, a missing value could indicate that a monitored, underlying process was not functioning properly. Discard the feature if the values are missing due to misconfiguration, issues with data collection or untraceable random reasons, and the historic data can’t be reconstituted. You can check out the whitepaper to learn more about the proper ways of addressing the above issues, recommended visualization of each analysis and a survey of the existing tools that are most suitable.A tool that helps you automateTo further help you speed up the process of preparing data for machine learning, you can use our Auto Data Exploration and Feature Recommendation Tool to automate the recommended analysis regardless of the scale of the data, and generate a well-organized report to present the findings and recommendations. The tool’s automated EDA includes:Descriptive analysis of each attribute in a dataset for numerical, categorical; Correlation analysis of two attributes (numerical vs. numerical, numerical vs. categorical, and categorical vs. categorical) through qualitative and/or quantitative analysis.Based on the EDA performed, the tool makes feature recommendations and generates a summary report, which looks something like this:We look forward to your feedback as we continue adding features to the tool.Thanks to additional contributors to this work: Dan Anghel, cloud machine learning engineer and Barbara Fusinska, cloud machine learning engineer
Quelle: Google Cloud Platform
Editor’s note: Today we’re hearing from Nuuly, the subscription-based clothing business of URBN. As a new brand within an established company, their small technology team had the opportunity to build their infrastructure from scratch. Here’s how they did it.At URBN, we’re a retail company that includes several well-known U.S. retail brands: Urban Outfitters, Anthropologie, and Free People. When we decided to move into the subscription model space last year, our goal was to let our customers try out new styles by renting clothing. They can subscribe monthly and pick six items per month from our e-commerce site to wear as much as they like, then return them back to us. This brand-new service, called Nuuly, launched in mid-2019 after just 10 months from conceiving the idea to offering the service to customers. In that 10 months, we built an entire technology platform using Google Cloud from the ground up, choosing the right tools to power this new business—without any legacy apps. From a technology perspective, we had different challenges and goals as a subscription provider than URBN does as an online and in-person retailer. We decided to put a team together to totally focus on this new retail rental model and its unique requirements. That meant we could make our own decisions about the platform and frameworks we’d use. We first had to think about the business model we were building, then assess what technology would best fit with that model. Signing up for cloud The overarching challenge we faced was creating the best solution for the job within a tight timeframe. Instead of just shopping for products, we went a layer deeper and looked at all aspects of this new market we were entering. The recurring revenue model is different from a typical retail revenue model, and so is managing inventory at the individual garment level, rather than the typical SKU level. But in the retail market, a lot of legacy tools were built for that model. Our existing enterprise system wasn’t able to support these new requirements, and it would have been much harder to retrofit than to build from the ground up. We knew we wanted a cloud platform so we could take advantage of provider infrastructure instead of ours for hosting.When we started exploring the cloud technology options to power Nuuly, we had a few parameters established: We wanted a secure platform that would let us grow as the business grows, and since we’re not cloud experts, we wanted to have the option of using managed services. Because we were in a brand-new space, we wanted to be able to start small, but not be restricted when we did want to scale out. Another important aspect for us was that our technology would let us easily use data science and machine learning to do extensive personalization. As the engineering lead, I did a lot of up-front analysis to figure out which would be the best cloud partner for us. Google checked off a lot of boxes, and we knew the data management platform would support our needs, so we chose Google Cloud. Our 15-person team was able to build the entire new platform in the 10-month timeframe because we chose Google—we didn’t have to hire an operations team to solve the problem. Using Google Cloud services let us bootstrap quickly and build our business on top of that. That platform includes an entire warehouse management system, and the software powering the brand-new distribution center.Powering our subscribers with dataWith Google Cloud, we’ve built a data backbone that lets us integrate data from different sources, messaging, stream processing and ETL jobs. We chose Google Kubernetes Engine (GKE) and multiple Google Cloud managed data offerings, including BigQuery, Data Studio, Cloud Storage, TensorFlow, and more. We use an event-driven architecture with Kafka as the main event manager. We run a Confluent cluster on Google Cloud, which helps us meet our strict event data ordering requirement. The biggest competitive advantage we get using Google Cloud is the managed services. There are so many capabilities built in to Google Cloud, so it’s easy for us to adopt new features as quickly as possible to stay competitive. For example, we can capture all events streaming into BigQuery, then add a reporting dashboard easily for our business partners on the brand side. They can then make informed decisions on what to buy based on updated user information. Using Google Cloud’s many features also means we can offer our customers more cool features so they can try new styles and new ways of expressing themselves. We can offer different channels to different customers based on age group, for example, to recommend new styles to try without having to buy them.We also had strict scalability criteria when we set out to deploy cloud and build our new business. Our cloud platform with Google has scaled along with the business, so as we acquire new subscribers, we’re not increasing our operational costs at the same time like we would be with a more traditional on-prem system. With cloud, we can pay for resources as we use them, so cost savings and efficiency is also an important metric to track. And the cloud lets us scale without customer downtime, so that translates into another key metric for us.Our business is still evolving, so we’re just scratching the surface in terms of all we can offer our customers. What’s great is that with managed cloud services, we’re able to focus on the business side of things, rather than the technology side. Since we don’t have to manage resources, we can provision resources up front and use the utilization model. Learn more about URBN and about Nuuly.
Quelle: Google Cloud Platform
Es gibt noch unentdeckte Gebiete in der Galar-Region, und in zwei Erweiterungen für Pokémon Schwert und Schild können Spieler sie erkunden – und dabei neue legendäre Taschenmonster vom Kuschelformat bis auf Bestiengröße hochpäppeln. (Pokémon, Nintendo)
Quelle: Golem
GitOps is a pattern that has gained a fair share of popularity in recent times as it emphasizes declaratively expressing infrastructure and application configuration within Git repositories. When using Kubernetes, the concepts that GitOps employs aligns well as each of the resources (Deployments, Services, ConfigMaps) that comprise not only an application, but the platform itself can be stored in Git. While the management of these resources can be handled manually, a number of tools have emerged to not only aid in the GitOps space, but specifically with the integration with Kubernetes.
ArgoCD is one such tool that emphasizes Continuous Delivery (CD) practices to repeatedly deliver changes to Kubernetes environments.
Note: ArgoCD has recently joined forces with Flux, a Cloud Native Computing Foundation (CNCF) sandbox project, to create gitops-engine as the solution that will combine the benefits of each standalone project.
ArgoCD accomplishes CD methodologies by using Git repositories as a source of truth for Kubernetes manifests that can be specified in a number of ways including plan yaml files, kustomize applications, as well as Helm Charts, and applies them to targeted clusters. When working with multiple teams and, in particular, enterprise organizations, it is imperative that each individual using the tool is authorized to do so in line with the principle of least privilege. ArgoCD features a fully functional Role Based Access Control (RBAC) system that can be used to implement this requirement. While ArgoCD itself does not include a user management system outside of a default admin user that has unrestricted access, it provides the ability to integrate with an external user management system through Single Sign On (SSO) capabilities. Open ID Connect (OIDC) is the authorization framework utilized by ArgoCD with two (2) supported approaches available:
Existing OIDC provider – An authorization provider that natively supports the OIDC
Bundled Dex Server – If an authorization provider does not support OIDC, a bundled OIDC and SSO with pluggable connectors to interact with external user management system
When using OpenShift as the Kubernetes distribution, one of the features that the platform natively supports the integration with an array of identity providers. In many cases, OpenShift leverages enterprise identity providers such as Active Directory/LDAP, GitHub or GitLab (including others) to provide access to users and define groups. Included with the deployment of ArgoCD is a Dex, a bundled OpenID Connect (OIDC) and OAuth Server with support for pluggable connectors to connect to user management systems. While Dex could be configured to integrate with these backend systems (such as LDAP) directly, it would add yet another integration point that would need to be managed and potentially cause additional burden. Instead, Dex can be configured to make use of OpenShift’s authentication capabilities.
This approach aligns well as it reduces the number of integration points that need to be managed by centralizing how users are authenticated, reducing the burden on OpenShift cluster administrators, along with providing a streamlined and consistent experience for end users. This article will describe how to integrate with OpenShift authentication and how to implement granular role based access control in ArgoCD.
Deploying ArgoCD on OpenShift
While the initial deployment of ArgoCD is outside the scope of this article, the ArgoCD website includes a Getting Started Guide which outlines the steps necessary along with manifests that can be used to deploy ArgoCD. Ensure that you not only have an OpenShift environment available, but are also a user with the admin role within a single namespace.
Note: The minimal level of permissions required to implement this integration is the admin role on a namespace in order to create and configure an OpenShift service account.
Once ArgoCD is deployed, the next step is to validate that you can reach the user interface. The manifests that were applied as described in the Getting Started Guide assume a deployment to a standard Kubernetes environment. OpenShift includes an ingress out-of-the-box solution using Routes to integrate with services running within the platform by external consumers. Create a route that enables access to ArgoCD using the OpenShift Command Line Interface.
oc create route passthrough argocd –service=argocd-server –port=https –insecure-policy=Redirect
Confirm the web console is accessible by navigating to the location provided by executing the following command:
echo https://$(oc get routes argocd -o=jsonpath='{ .spec.host }’)
Now that access to the console has been verified, let’s describe the architecture of ArgoCD as it pertains to user management. The primary component of the ArgoCD solution is the ArgoCD server (argocd-server). It exposes an API server that can be used by the ArgoCD command line tool (CLI) as well as the web server for which we verified previously. The native OIDC integration from ArgoCD to a supported authentication backend is included within this API server layer. When leveraging an alternate authentication backend that does not natively support OIDC, a standalone instance of the Dex is deployed. It is the logic within Dex which governs the integration with OpenShift. The ability to leverage OpenShift within Dex was a recently added connector and, as a result, the version of Dex that is utilized during the default ArgoCD deployment does not yet contain the needed connector.
Execute the following command to replace the image that is being used by Dex with the image that includes the OpenShift connector:
oc patch deployment argocd-dex-server -p ‘{“spec”: {“template”: {“spec”: {“containers”: [{“name”: “dex”,”image”: “quay.io/ablock/dex:openshift-connector”}]}}}}’
Confirm the updated Dex pod is running by executing the following command:
oc get pods -l=app.kubernetes.io/name=argocd-dex-server
Integrating ArgoCD with OpenShift Authentication
With the Dex container using the proper image, the next step is to enable the integration of ArgoCD and OpenShift authentication. OpenShift contains an integrated OAuth server for users to authenticate against the API. External applications (in this case Dex) can be given access to obtain information on behalf of a user from the OAuth server by registering a new OAuth client. OpenShift provides two mechanisms for registering an OAuth client:
Using a Service Account as a constrained form of OAuth Client
Registering an additional OAuth Client with the OAuth Server
The recommended approach, in this circumstance, is to leverage a Service Account as an OAuth Client rather than create an additional OAuth Client with the OAuth server. The primary reasoning behind this decision is that registering an additional OAuth Client with the OAuth server requires elevated access to OpenShift whereas using a service account as an OAuth client only required privileges that are already available within a namespace. However, one must note that while a Service Account can be used to represent an OAuth client for the integration with ArgoCD, there are many situations for which it cannot. One of the primary drawbacks is that only a subset of OAuth scopes supported within OpenShift can be requested by these types of clients as well as role based access can only be granted within the same namespace as the Service Account.
Only a few steps need to be completed prior to leveraging a Service Account as an OAuth client. First, a Service Account must be identified for this integration. The deployment of ArgoCD created a service account called argocd-dex-server that is used to run the Dex container. This is an ideal Service Account to use for this purpose.
Next, as with any type of integration with an OAuth server, the application authenticates using a Client ID and Client Secret. The client ID in this case is the full name of the service account in the format system:serviceaccount:<namespace>:<service_account_name>. So in this situation, if ArgoCD was deployed in a namespace called argocd, the Client ID would be system:serviceaccount:argocd:argocd-dex-server. The Client Secret is any one of the OpenShift OAuth API tokens that are automatically configured upon Service Account creation. This token can be obtained by executing the following command:
oc serviceaccounts get-token argocd-dex-server
The final step is to configure the Redirect URI that represents the location within ArgoCD that users should redirected to after successfully authenticating as part of the OAuth flow, within an annotation on the Service Account. This annotation makes use of the format serviceaccounts.openshift.io/oauth-redirecturi.<name> annotation. So, in this case, the annotation can be specified as serviceaccounts.openshift.io/oauth-redirecturi.argocd. The value of this annotation that represents the Redirect URI takes the following form (using the hostname for ArgoCD retrieved previously):
https://<argocd_host>/api/dex/callback
Patch the Service Account to add the Redirect URI annotation by replacing the content currently held by <argocd_redirect_uri> by executing the following command:
oc patch serviceaccount argocd-dex-server –type=’json’ -p='[{“op”: “add”, “path”: “/metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.argocd”, “value”:”<argocd_redirect_uri>”}]’
Confirm the annotation was applied to the Service Account appropriately by executing the following command:
oc get sa argocd-dex-server -o jsonpath='{.metadata.annotations.serviceaccounts.openshift.io/oauth-redirecturi.argocd}’
Now that ArgoCD has been granted access to obtain user information from OpenShift, the next step is to configure SSO within ArgoCD. As ArgoCD emphasizes the use of GitOps methodologies through declarative configuration, the majority of the configuration for ArgoCD itself is managed through a range of native Kubernetes resources stored in the cluster. Specifically, the argocd-cm ConfigMap contains the primary configuration for ArgoCD and within this resource is the location for which the integration with the Dex OIDC connector is defined (A full list of resources that aid in the configuration of ArgoCD along with the available options can be found here).
With an understanding of where the specific configuration to enable SSO integration with OpenShift can be managed, let’s investigate the key options exposed by the OpenShift Dex connector as illustrated in the table below:
oc edit cm argocd-cmDefine the SSO configuration for OpenShift by editing the argocd-cm ConfigMap using the following command:
At initial deployment time, the content of the ConfigMap is empty and contains no data property. The resulting ConfigMap is the code complete configuration that will be ultimately applied:
data:
url: https://<argocd_host>
dex.config: |
connectors:
# OpenShift
– type: openshift
id: openshift
name: OpenShift
config:
issuer: <openshift_api_server>
clientID: <client_id>
clientSecret: <client_secret>
redirectURI: <redirect_uri>
insecureCA: true
Now, let’s walk through each property in detail;
The first property that is required when enabling SSO is the URL for the ArgoCD server itself in the url property. Once again, make use of the hostname discovered previously.
Next, we will define the properties for the Dex connector. The id, type, and name properties are all required regardless of the type of connector being used. The id property refers to a unique value within the Dex server. The type property must be specified as openshift as it identifies the connector that should be used. The name property refers to the friendly name that will appear in the ArgoCD user interface to identify the connector.
Now, let’s define the properties associated with the OpenShift connector. First, the issuer property is the location of the OpenShift API server. This value can be obtained by running the following command:
oc whoami –show-server
Next, as discovered previously, provide the values of the clientID and clientSecret from the constrained Service Account.
The redirectURI property should match the value that was placed within the annotation in the Service Account.
Finally, depending on the Certificate Authority that issued the SSL certificate for the OpenShift API server, there may be a need to perform additional configuration so that the Dex server can communicate securely. This could be accomplished by specifying the rootCA property that references the location within the Dex container with the necessary certificates. However, to demonstrate the functionality of the ArgoCD and OpenShift integration, we will forgo this configuration and instead specify the insecureCA property to be true to bypass SSL verification.
Save the ConfigMap to apply the changes.
ArgoCD monitors the state of the ConfigMap and automatically reloads the Dex server so no further action is required prior to testing the integration.
With the SSO configuration in place, navigate to the ArgoCD URL. You will be presented with a login page as well as a “Login via OpenShift” button. Select this button which will direct you to the OpenShift Login page. Complete the OpenShift login process as well as allowing ArgoCD to make use of your user information when prompted. Afterwards, you will be presented with the ArgoCD overview screen.
Congratulations! You have successfully integrated OpenShift authentication with ArgoCD!
Utilize OpenShift Groups to Restrict Access
By default, any valid OpenShift user who successfully authenticates is granted access to ArgoCD. In many cases, there will be a desire or requirement to limit access to certain subset of users to enhance the security of the solution. For demonstration purposes, we will create two groups within OpenShift and associate users into each group. Ensure that you have two user accounts defined within OpenShift to implement this solution. If you are making use of the kubeadmin account that is provided by default when installing OpenShift, enable the htpasswd identity provider within OpenShift as described in the OpenShift Documentation and create two users, john and bill. Feel free to associate a password of your choosing to each user (such as redhat1!). Afterward, verify both of these users can login to ArgoCD by logging out of any existing sessions and attempting to authenticate with the credentials for each user.
With two users created, let’s create two groups within OpenShift called argocdusers and argocdadmins. If your OpenShift environment is already making use of groups, feel free to skip the group creation and association step and make use of these previously created assets.
Otherwise, create the two groups using the following commands:
oc adm groups new argocdusers
oc adm groups new argocdadmins
With the groups created, lets configure the OpenShift connector to require users attempting to authenticate be a member of each group. The groups property allows you to specify a list of groups that have access.
Once again edit the ConfigMap using the following command:
oc edit cm argocd-cm
Add the groups property with the names of the two groups to which will result in the ConfigMap appearing similar to the following:
data:
url: <argocd_url>
dex.config: |
connectors:
# OpenShift
– type: openshift
id: openshift
name: OpenShift
config:
issuer: <openshift_api_server>
clientID: <client_id>
clientSecret: <client_secret>
redirectURI: <redirect_uri>
insecureCA: true
groups:
– argocdusers
– argocdadmins
Saving the changes will automatically update the configuration. Logout of ArgoCD if previously authenticated and attempt to login again as either john or bill. You should be presented with an error stating that user attempting to login is not part of the required groups.
Let’s go ahead and fix this.
Add john to the argocdusers group and add bill to the argocdadmins group using the following commands:
oc adm groups add-users argocdusers john
oc adm groups add-users argocdadmins bill
Attempt to login to ArgoCD once again and this time, authorization should succeed now that the users are placed within groups that have been granted access.
Role Based Access Control
While ArgoCD does not have a native user management system, it does feature a robust role based access control system. By default, any authenticated user can browse around the web console, but does not have access to any resources. So, if an attempt is made from either John or Bill’s account to modify any resource will result in an access error (Feel free to try this out yourself). In order for elevated access to be granted, we will look to leverage the groups that a user is a member of and apply policies to perform functions within ArgoCD. For users in the argocdusers group, we will allow users to make use of the readonly role that is available in ArgoCD as part of a typical deployment (The default set of policies are defined in the builtin-policy.csv file). However, for users in the argocdadmins group, we will want to grant ArgoCD admin privileges. So in our case, Bill will be able to modify all resources within ArgoCD, but John will not (but will be able to view all of the resources, a privilege he did not have previously).
Role based access control in ArgoCD is defined within a ConfigMap called argocd-rbac-cm. Similar to the argocd-cm ConfigMap resource that we configured previously, no data is defined by default. Two primary components can be managed through this resource:
Default access policy
Policies and group associations in CSV format
As indicated previously, the default access policy that is applied to any authenticated user is read only. This access level can be changed by defining the policy.default property. The policy that is to be applied can either be one of the built in roles or a new role which could be defined within the policy.csv property. While we will not define a new set of policies, we will use the policy.csv property to define an association between the group defined in OpenShift and an ArgoCD role. An ArgoCD role can be associated to a group using the following format:
g, <group_name>, <role>
So, to associate the argocdusers group to the builtin readonly role and the argocdadmins group to the built in admin role, the following would be the resulting group policies:
g, argocdusers, role:readonly
g, argocdadmins, role:admin
Edit the argocd-rbac-cm ConfigMap:
oc edit cm argocd-rbac-cm
Apply the policy to the policy.csv property as shown below:
data:
policy.csv: |
g, argocdusers, role:readonly
g, argocdadmins, role:admin
With the policy applied, login as Bill who is a member of the argocdadmins group and perform a modification to confirm the policy has taken effect. To verify, let’s attempt to create a new ArgoCD Project, which is a logical grouping of applications and ideal for when ArgoCD is used by multiple teams.
Login as Bill, select the gear icon from the left hand navigation bar, and then click on Projects. At the top of the page, select New Project and enter openshift as the Project Name. Click Create to not only create the project, but to confirm the elevated level of permissions is being applied.
Feel free to logout of Bill’s account and login as John to confirm that he is now able to view all resources within ArgoCD including the openshift project Bill’s user created previously completing all of the desired tasks for integrating ArgoCD with OpenShift authentication.
While the steps illustrated previously mainly utilized the web interface, users making use of the SSO integration with OpenShift can continue to use the ArgoCD Command Line Interface. When invoking the argocd login subcommand, omit the usage of the –username and –password flags and instead provide the –sso flag. Upon invocation, the default web browser will be launched to the OpenShift login page to complete the login process
As demonstrated in this article, the ability to leverage OpenShift’s authentication and group management capabilities ushers not only provides new opportunities into the GitOps landscape using ArgoCD, but increases the likelihood of being adopted in enterprise environments as it leverages many of the previously agreed upon user management strategies that is part of any OpenShift deployment.
The post OpenShift Authentication Integration with ArgoCD appeared first on Red Hat OpenShift Blog.
Quelle: OpenShift
