142 lines
3.0 KiB
YAML
142 lines
3.0 KiB
YAML
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: argo-role
|
|
namespace: argo
|
|
rules:
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
workflows.argoproj.io/description: |
|
|
This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
|
|
|
|
If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
|
|
name: agent
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflowtasksets
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflowtasksets/status
|
|
verbs:
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
workflows.argoproj.io/description: |
|
|
This is the minimum recommended permissions needed if you want to use artifact GC.
|
|
name: artifactgc
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflowartifactgctasks
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflowartifactgctasks/status
|
|
verbs:
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
workflows.argoproj.io/description: |
|
|
Recomended minimum permissions for the `emissary` executor.
|
|
name: executor
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflowtaskresults
|
|
verbs:
|
|
- create
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
workflows.argoproj.io/description: |
|
|
This is an example of the permissions you would need if you wanted to use a resource template to create and manage
|
|
other pods. The same pattern would be suitable for other resurces, e.g. a service
|
|
name: pod-manager
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- create
|
|
- get
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: submit-workflow-template
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workfloweventbindings
|
|
verbs:
|
|
- list
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflowtemplates
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflows
|
|
verbs:
|
|
- create
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
workflows.argoproj.io/description: |
|
|
This is an example of the permissions you would need if you wanted to use a resource template to create and manage
|
|
other workflows. The same pattern would be suitable for other resurces, e.g. a service
|
|
name: workflow-manager
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- workflows
|
|
verbs:
|
|
- create
|
|
- get |