apiVersion: v1 kind: ServiceAccount metadata: name: operate-workflow-sa --- # sensor apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: operate-workflow-clusterrole rules: - resources: - workflows - workflowtemplates - cronworkflows - clusterworkflowtemplates apiGroups: - argoproj.io verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: operate-workflow-binding roleRef: name: operate-workflow-clusterrole kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: operate-workflow-sa namespace: argo-events kind: ServiceAccount --- # workflow # This file enables a Workflow Pod (running Emissary executor) to be able to read and patch WorkflowTaskResults, # which get shared with the Workflow Controller. The Controller uses the results to update Workflow status. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: executor annotations: workflows.argoproj.io/description: | Recomended minimum permissions for the `emissary` executor. rules: - resources: - workflowtaskresults - workflows apiGroups: - argoproj.io verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: executor-default namespace: argo-events roleRef: name: executor kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: default namespace: argo-events kind: ServiceAccount