github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/web_based_terminal.md

github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/web_based_terminal.md (about)

     1  # Web-based Terminal
     2  
     3  ![Argo CD Terminal](../assets/terminal.png)
     4  
     5  Since v2.4, Argo CD has a web-based terminal that allows you to get a shell inside a running pod just like you would with
     6  `kubectl exec`. It's basically SSH from your browser, full ANSI color support and all! However, for security this feature
     7  is disabled by default.
     8  
     9  This is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which
    10  they have the `exec/create` privilege. If the Pod mounts a ServiceAccount token (which is the default behavior of 
    11  Kubernetes), then the user effectively has the same privileges as that ServiceAccount.
    12  
    13  ## Enabling the terminal
    14  <!-- Use indented code blocks for the numbered list to prevent breaking the numbering. See #11590 -->
    15  
    16  1. In the `argocd-cm` ConfigMap, set the `exec.enabled` key to `"true"`. This enables the exec feature in Argo CD.
    17  
    18      ```
    19      apiVersion: v1
    20      kind: ConfigMap
    21      metadata:
    22        name: argocd-cm
    23        namespace: <namespace>  # Replace <namespace> with your actual namespace
    24      data:
    25        exec.enabled: "true"
    26      ```
    27  
    28  2. Patch the `argocd-server` Role (if using namespaced Argo) or ClusterRole (if using clustered Argo) to allow `argocd-server`
    29  to `exec` into pods
    30  
    31          - apiGroups:
    32            - ""
    33            resources:
    34            - pods/exec
    35            verbs:
    36            - create
    37     If you'd like to perform the patch imperatively, you can use the following command:
    38          
    39      - For namespaced Argo
    40           ```
    41           kubectl patch role <argocd-server-role-name> -n argocd --type='json' -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["*"], "resources": ["pods/exec"], "verbs": ["create"]}}]'
    42           ```
    43      - For clustered Argo
    44           ```
    45           kubectl patch clusterrole <argocd-server-clusterrole-name> --type='json' -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["*"], "resources": ["pods/exec"], "verbs": ["create"]}}]'
    46           ```
    47  
    48  3. Add RBAC rules to allow your users to `create` the `exec` resource i.e. 
    49  
    50          p, role:myrole, exec, create, */*, allow 
    51  
    52      This can be added either to the `argocd-cm` `Configmap` manifest or an `AppProject` manifest.
    53  
    54     See [RBAC Configuration](rbac.md#exec-resource) for more info.
    55  
    56  ## Changing allowed shells
    57  
    58  By default, Argo CD attempts to execute shells in this order:
    59  
    60  1. bash
    61  2. sh
    62  3. powershell
    63  4. cmd
    64  
    65  If none of the shells are found, the terminal session will fail. To add to or change the allowed shells, change the 
    66  `exec.shells` key in the `argocd-cm` ConfigMap, separating them with commas.