73 lines
2.9 KiB
YAML
73 lines
2.9 KiB
YAML
|
{{- if index .Values "argo-workflows" "enabled" }}
|
||
|
|
apiVersion: v1
|
||
|
|
kind: ServiceAccount
|
||
|
|
metadata:
|
||
|
|
name: argo-workflow
|
||
|
|
namespace: {{ .Release.Namespace }}
|
||
|
|
---
|
||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
|
kind: ClusterRole
|
||
|
|
metadata:
|
||
|
|
name: custom-argo-clusterrole
|
||
|
|
rules:
|
||
|
|
# Default Argo permissions
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources: ["configmaps", "pods", "pods/log", "secrets", "persistentvolumeclaims", "serviceaccounts"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources: ["services"]
|
||
|
|
verbs: ["get", "list", "watch"]
|
||
|
|
- apiGroups: ["argoproj.io"]
|
||
|
|
resources: ["workflows", "workflowtemplates", "cronworkflows", "workflowtasksets", "workfloweventbindings", "clusterworkflowtemplates"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["coordination.k8s.io"]
|
||
|
|
resources: ["leases"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "update"]
|
||
|
|
- apiGroups: ["batch"]
|
||
|
|
resources: ["jobs"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "watch"]
|
||
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
||
|
|
resources: ["customresourcedefinitions"]
|
||
|
|
verbs: ["create", "get"]
|
||
|
|
# Full power activated
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources: ["bindings", "endpoints", "events", "limitranges", "namespaces", "nodes", "persistentvolumes", "replicationcontrollers", "resourcequotas"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["apps"]
|
||
|
|
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["autoscaling"]
|
||
|
|
resources: ["horizontalpodautoscalers"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["batch"]
|
||
|
|
resources: ["cronjobs"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["networking.k8s.io"]
|
||
|
|
resources: ["networkpolicies", "ingresses"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["policy"]
|
||
|
|
resources: ["poddisruptionbudgets"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
||
|
|
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["storage.k8s.io"]
|
||
|
|
resources: ["storageclasses", "volumeattachments"]
|
||
|
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||
|
|
- apiGroups: ["argoproj.io"]
|
||
|
|
resources: ["workflowtaskresults"]
|
||
|
|
verbs: ["create", "patch"]
|
||
|
|
---
|
||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
|
kind: ClusterRoleBinding
|
||
|
|
metadata:
|
||
|
|
name: custom-argo-clusterrolebinding
|
||
|
|
subjects:
|
||
|
|
- kind: ServiceAccount
|
||
|
|
name: argo-workflow
|
||
|
|
namespace: {{ .Release.Namespace }}
|
||
|
|
roleRef:
|
||
|
|
apiGroup: rbac.authorization.k8s.io
|
||
|
|
kind: ClusterRole
|
||
|
|
name: custom-argo-clusterrole
|
||
|
|
{{- end }}
|