---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-role
  namespace: argo
rules:
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.

      If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
  name: agent
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets
    verbs:
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets/status
    verbs:
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is the minimum recommended permissions needed if you want to use artifact GC.
  name: artifactgc
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowartifactgctasks
    verbs:
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowartifactgctasks/status
    verbs:
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      Recomended minimum permissions for the `emissary` executor.
  name: executor
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtaskresults
    verbs:
      - create
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
      other pods. The same pattern would be suitable for other resurces, e.g. a service
  name: pod-manager
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - create
      - get
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: submit-workflow-template
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workfloweventbindings
    verbs:
      - list
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtemplates
    verbs:
      - get
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
      other workflows. The same pattern would be suitable for other resurces, e.g. a service
  name: workflow-manager
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
      - get