1apiVersion: v1
2kind: ServiceAccount
3metadata:
4 name: operate-workflow-sa
5---
6# sensor
7apiVersion: rbac.authorization.k8s.io/v1
8kind: ClusterRole
9metadata:
10 name: operate-workflow-clusterrole
11rules:
12- resources:
13 - workflows
14 - workflowtemplates
15 - cronworkflows
16 - clusterworkflowtemplates
17 apiGroups:
18 - argoproj.io
19 verbs:
20 - get
21 - list
22 - watch
23 - create
24 - update
25 - patch
26 - delete
27---
28apiVersion: rbac.authorization.k8s.io/v1
29kind: ClusterRoleBinding
30metadata:
31 name: operate-workflow-binding
32roleRef:
33 name: operate-workflow-clusterrole
34 kind: ClusterRole
35 apiGroup: rbac.authorization.k8s.io
36subjects:
37- name: operate-workflow-sa
38 namespace: argo-events
39 kind: ServiceAccount
40---
41# workflow
42# This file enables a Workflow Pod (running Emissary executor) to be able to read and patch WorkflowTaskResults,
43# which get shared with the Workflow Controller. The Controller uses the results to update Workflow status.
44apiVersion: rbac.authorization.k8s.io/v1
45kind: ClusterRole
46metadata:
47 name: executor
48 annotations:
49 workflows.argoproj.io/description: |
50 Recomended minimum permissions for the `emissary` executor.
51rules:
52- resources:
53 - workflowtaskresults
54 - workflows
55 apiGroups:
56 - argoproj.io
57 verbs:
58 - create
59 - patch
60---
61apiVersion: rbac.authorization.k8s.io/v1
62kind: ClusterRoleBinding
63metadata:
64 name: executor-default
65 namespace: argo-events
66roleRef:
67 name: executor
68 kind: ClusterRole
69 apiGroup: rbac.authorization.k8s.io
70subjects:
71- name: default
72 namespace: argo-events
73 kind: ServiceAccount
View as plain text