github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/custom_roles.md (about) 1 # Custom Roles 2 3 As an administrative user, when you give Argo CD access to a namespace by using the `argocd.argoproj.io/managed-by` label, it assumes namespace-admin privileges. These privileges are an issue for administrators who provide namespaces to non-administrators, such as development teams, because the privileges enable non-administrators to modify objects such as network policies. With this update, administrators can configure a common cluster role for all the managed namespaces. In role bindings for the Argo CD application controller, the Operator refers to the CONTROLLER_CLUSTER_ROLE environment variable. In role bindings for the Argo CD server, the Operator refers to the SERVER_CLUSTER_ROLE environment variable. If these environment variables contain custom roles, the Operator doesn't create the default admin role. Instead, it uses the existing custom role for all managed namespaces. 4 5 Example: Custom role environment variables in operator Subscription: 6 7 ```yaml 8 apiVersion: operators.coreos.com/v1alpha1 9 kind: Subscription 10 metadata: 11 name: argocd-operator 12 namespace: argocd 13 spec: 14 config: 15 env: 16 - name: CONTROLLER_CLUSTER_ROLE 17 value: custom-controller-role 18 - name: SERVER_CLUSTER_ROLE 19 value: custom-server-role 20 ``` 21 22 Example: Custom role environment variables in operator Deployment: 23 24 ```yaml 25 kind: Deployment 26 apiVersion: apps/v1 27 metadata: 28 name: argocd-operator-controller-manager 29 namespace: argocd 30 spec: 31 replicas: 1 32 template: 33 spec: 34 containers: 35 env: 36 - name: CONTROLLER_CLUSTER_ROLE 37 value: custom-controller-role 38 - name: SERVER_CLUSTER_ROLE 39 value: custom-server-role 40 ```