apiVersion: v1
kind: ServiceAccount
metadata:
  name: operate-workflow-sa
---
# sensor
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: operate-workflow-clusterrole
rules:
- resources:
  - workflows
  - workflowtemplates
  - cronworkflows
  - clusterworkflowtemplates
  apiGroups:
  - argoproj.io
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: operate-workflow-binding
roleRef:
  name: operate-workflow-clusterrole
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- name: operate-workflow-sa
  namespace: argo-events
  kind: ServiceAccount
---
# workflow
# This file enables a Workflow Pod (running Emissary executor) to be able to read and patch WorkflowTaskResults,
# which get shared with the Workflow Controller. The Controller uses the results to update Workflow status.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: executor
  annotations:
    workflows.argoproj.io/description: |
      Recomended minimum permissions for the `emissary` executor.
rules:
- resources:
  - workflowtaskresults
  - workflows
  apiGroups:
  - argoproj.io
  verbs:
  - create
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: executor-default
  namespace: argo-events
roleRef:
  name: executor
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- name: default
  namespace: argo-events
  kind: ServiceAccount