marcel/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd.git synced 2026-02-20 01:28:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
argo-cd/docs/operator-manual/web_based_terminal.md
Michael Crenshaw 65350789e8 docs: small fixes for mkdocs warnings (#26112) 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Nitish Kumar <justnitish06@gmail.com>
2026-01-23 13:00:47 +00:00

2.8 KiB
Raw Permalink Blame History

Web-based Terminal

Argo CD Terminal

Since v2.4, Argo CD has a web-based terminal that allows you to get a shell inside a running pod just like you would with kubectl exec. It's basically SSH from your browser, full ANSI color support and all! However, for security this feature is disabled by default.

This is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which they have the exec/create privilege. If the Pod mounts a ServiceAccount token (which is the default behavior of Kubernetes), then the user effectively has the same privileges as that ServiceAccount.

Enabling the terminal

  1. In the argocd-cm ConfigMap, set the exec.enabled key to "true". This enables the exec feature in Argo CD.

    apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: <namespace>  # Replace <namespace> with your actual namespace
data:
  exec.enabled: "true"

  2. Restart Argo CD

Permissions for Kubernetes <1.31

Starting in Kubernetes 1.31, the get privilege is enough to exec into a container, so no additional permissions are required. Enabling web terminal before Kubernetes 1.31 requires adding additional RBAC permissions.

  1. Patch the argocd-server Role (if using namespaced Argo) or ClusterRole (if using clustered Argo) to allow argocd-server to exec into pods

     - apiGroups:
   - ""
   resources:
   - pods/exec
   verbs:
   - create

    If you'd like to perform the patch imperatively, you can use the following command:

    • For namespaced Argo 
      kubectl patch role <argocd-server-role-name> -n argocd --type='json' -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["*"], "resources": ["pods/exec"], "verbs": ["create"]}}]'
    • For clustered Argo 
      kubectl patch clusterrole <argocd-server-clusterrole-name> --type='json' -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["*"], "resources": ["pods/exec"], "verbs": ["create"]}}]'

  2. Add RBAC rules to allow your users to create the exec resource i.e.

     p, role:myrole, exec, create, */*, allow

    This can be added either to the argocd-cm Configmap manifest or an AppProject manifest.

    See RBAC Configuration for more info.

Changing allowed shells

By default, Argo CD attempts to execute shells in this order:

  1. bash
  2. sh
  3. powershell
  4. cmd

If none of the shells are found, the terminal session will fail. To add to or change the allowed shells, change the exec.shells key in the argocd-cm ConfigMap, separating them with commas.

Reference in New Issue View Git Blame Copy Permalink