diff --git a/docs/operator-manual/web_based_terminal.md b/docs/operator-manual/web_based_terminal.md index 5c791e9faa00f1..c19188aa1fd6c6 100644 --- a/docs/operator-manual/web_based_terminal.md +++ b/docs/operator-manual/web_based_terminal.md @@ -13,10 +13,20 @@ Kubernetes), then the user effectively has the same privileges as that ServiceAc ## Enabling the terminal -1. Set the `exec.enabled` key to `"true"` on the `argocd-cm` ConfigMap. +1. Set the `exec.enabled` key to `"true"` on the `argocd-cm` ConfigMap in the `data` field. This enables the exec feature in Argo CD. + + ``` + apiVersion: v1 + kind: ConfigMap + metadata: + name: argocd-cm + namespace: # Replace with your actual namespace + data: + exec.enabled: "true" + ``` 2. Patch the `argocd-server` Role (if using namespaced Argo) or ClusterRole (if using clustered Argo) to allow `argocd-server` -to exec into pods +to `exec` into pods - apiGroups: - "" @@ -24,13 +34,31 @@ to exec into pods - pods/exec verbs: - create - + If you'd like to perform the patch by imperative way, you can use the following command: + + - For namespaced Argo + ``` + kubectl patch role -n argocd - type='json' -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["*"], "resources": ["pods/exec"], "verbs": ["create"]}}]' + ``` + - For clustered Argo + ```` + kubectl patch clusterrole - type='json' -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["*"], "resources": ["pods/exec"], "verbs": ["create"]}}]' + ``` 3. Add RBAC rules to allow your users to `create` the `exec` resource, i.e. p, role:myrole, exec, create, */*, allow - - + You can use any key you'd like to use in the `data` field, something like + ``` + apiVersion: v1 + kind: ConfigMap + metadata: + name: + namespace: + data: + policy.conf: | # The key might differ based on the actual configuration + p, role:myrole, exec, create, */*, allow + ``` See [RBAC Configuration](rbac.md#exec-resource) for more info. ## Changing allowed shells