From 8ad93adcb3bf76c3f56c371ab34ffe28221b9eed Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Thu, 24 Feb 2022 14:17:37 -0800 Subject: [PATCH 1/9] docs: Split out executor/agent roles in quick-start RBAC. Signed-off-by: Alex Collins --- Makefile | 1 + docs/workflow-rbac.md | 45 ++++---- manifests/quick-start-minimal.yaml | 108 ++++++------------ manifests/quick-start-mysql.yaml | 108 ++++++------------ manifests/quick-start-postgres.yaml | 108 ++++++------------ .../base/agent-default-rolebinding.yaml | 11 ++ manifests/quick-start/base/agent-role.yaml | 17 +++ .../base/executor-default-rolebinding.yaml | 11 ++ .../executor-rbac/docker/executor-role.yaml | 11 ++ .../executor-rbac/emissary/executor-role.yaml | 11 ++ .../executor-rbac/k8sapi/executor-role.yaml | 17 +++ .../executor-rbac/kubelet/executor-role.yaml | 11 ++ .../kubelet-executor-clusterrole.yaml | 0 ...t-executor-default-clusterrolebinding.yaml | 0 .../base/executor-rbac/pns/executor-role.yaml | 11 ++ manifests/quick-start/base/kustomization.yaml | 8 +- .../base/memoizer-default-rolebinding.yaml | 11 ++ manifests/quick-start/base/memoizer-role.yaml | 16 +++ .../base/workflow-default-rolebinding.yaml | 2 +- .../workflow-manager-default-rolebinding.yaml | 11 ++ .../quick-start/base/workflow-manager.yaml | 16 +++ 21 files changed, 279 insertions(+), 255 deletions(-) create mode 100644 manifests/quick-start/base/agent-default-rolebinding.yaml create mode 100644 manifests/quick-start/base/agent-role.yaml create mode 100644 manifests/quick-start/base/executor-default-rolebinding.yaml create mode 100644 manifests/quick-start/base/executor-rbac/docker/executor-role.yaml create mode 100644 manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml create mode 100644 manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml create mode 100644 manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml rename manifests/quick-start/base/{ => executor-rbac/kubelet}/kubelet-executor-clusterrole.yaml (100%) rename manifests/quick-start/base/{ => executor-rbac/kubelet}/kubelet-executor-default-clusterrolebinding.yaml (100%) create mode 100644 manifests/quick-start/base/executor-rbac/pns/executor-role.yaml create mode 100644 manifests/quick-start/base/memoizer-default-rolebinding.yaml create mode 100644 manifests/quick-start/base/memoizer-role.yaml create mode 100644 manifests/quick-start/base/workflow-manager-default-rolebinding.yaml create mode 100644 manifests/quick-start/base/workflow-manager.yaml diff --git a/Makefile b/Makefile index f1622a017340..869e02a91594 100644 --- a/Makefile +++ b/Makefile @@ -404,6 +404,7 @@ install: githooks ifneq ($(E2E_EXECUTOR),emissary) # only change the executor from the default it we need to kubectl patch cm/workflow-controller-configmap -p "{\"data\": {\"containerRuntimeExecutor\": \"$(E2E_EXECUTOR)\"}}" + kubectl apply -f manifests/quick-start/base/executor/$(E2E_EXECUTOR) -l app.kubernetes.io/part-of=argo endif ifeq ($(PROFILE),stress) kubectl -n $(KUBE_NAMESPACE) apply -f test/stress/massive-workflow.yaml diff --git a/docs/workflow-rbac.md b/docs/workflow-rbac.md index 69d698978255..80237c758b41 100644 --- a/docs/workflow-rbac.md +++ b/docs/workflow-rbac.md @@ -1,35 +1,30 @@ # Workflow RBAC -All pods in a workflow run with the service account specified in `workflow.spec.serviceAccountName`, -or if omitted, the `default` service account of the workflow's namespace. The amount of access which -a workflow needs is dependent on what the workflow needs to do. For example, if your workflow needs -to deploy a resource, then the workflow's service account will require 'create' privileges on that -resource. +All pods in a workflow run with the service account specified in `workflow.spec.serviceAccountName`, or if omitted, +the `default` service account of the workflow's namespace. The amount of access which a workflow needs is dependent on +what the workflow needs to do. For example, if your workflow needs to deploy a resource, then the workflow's service +account will require 'create' privileges on that resource. -The bare minimum for a workflow to function is outlined below: +Tip: We do not recommend using the `default` service account in production. It is a shared account an may have +permissions added to it you do not want. Instead, create a service account only your workflow. + +The minimum for the executor to function: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + name: executor rules: -# pod get/watch is used to identify the container IDs of the current pod -# pod patch is used to annotate the step's outputs back to controller (e.g. artifact location) -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - patch -# logs get/watch are used to get the pods logs for script outputs, and for log archival -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - patch ``` + +If you are not using the emissary, you'll need additional permissions. +See [executor](https://github.com/argoproj/argo-workflows/tree/master/manifests/quick-start/base/executor) for suitable +permissions. diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 470b6c17ac0b..d453e62e689d 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -435,79 +435,38 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: submit-workflow-template + name: executor rules: - apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - - list -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - pods verbs: - - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + name: submit-workflow-template rules: - apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - patch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch -- apiGroups: - - "" + - argoproj.io resources: - - pods/exec + - workfloweventbindings verbs: - - create + - list - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - workflowtemplates verbs: - - create - get - - update - apiGroups: - argoproj.io resources: - workflows verbs: - create - - get -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - - workflowtasksets/finalizers - verbs: - - list - - watch - - get - - update - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -543,16 +502,16 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: kubelet-executor -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: +- kind: ServiceAccount + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -580,6 +539,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: github.com roleRef: @@ -594,11 +565,11 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: workflow-default-binding + name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: executor subjects: - kind: ServiceAccount name: default @@ -629,19 +600,6 @@ subjects: name: argo-server namespace: argo --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubelet-executor-default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubelet-executor -subjects: -- kind: ServiceAccount - name: default - namespace: argo ---- apiVersion: v1 data: default-v1: | diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 5d35536e657b..44752d352069 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -435,79 +435,38 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: submit-workflow-template + name: executor rules: - apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - - list -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - pods verbs: - - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + name: submit-workflow-template rules: - apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - patch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch -- apiGroups: - - "" + - argoproj.io resources: - - pods/exec + - workfloweventbindings verbs: - - create + - list - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - workflowtemplates verbs: - - create - get - - update - apiGroups: - argoproj.io resources: - workflows verbs: - create - - get -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - - workflowtasksets/finalizers - verbs: - - list - - watch - - get - - update - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -543,16 +502,16 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: kubelet-executor -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: +- kind: ServiceAccount + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -580,6 +539,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: github.com roleRef: @@ -594,11 +565,11 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: workflow-default-binding + name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: executor subjects: - kind: ServiceAccount name: default @@ -629,19 +600,6 @@ subjects: name: argo-server namespace: argo --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubelet-executor-default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubelet-executor -subjects: -- kind: ServiceAccount - name: default - namespace: argo ---- apiVersion: v1 data: default-v1: | diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index a1ffc565247c..ca61f8931c10 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -435,79 +435,38 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: submit-workflow-template + name: executor rules: - apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - - list -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - pods verbs: - - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + name: submit-workflow-template rules: - apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - patch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch -- apiGroups: - - "" + - argoproj.io resources: - - pods/exec + - workfloweventbindings verbs: - - create + - list - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - workflowtemplates verbs: - - create - get - - update - apiGroups: - argoproj.io resources: - workflows verbs: - create - - get -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - - workflowtasksets/finalizers - verbs: - - list - - watch - - get - - update - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -543,16 +502,16 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: kubelet-executor -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: +- kind: ServiceAccount + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -580,6 +539,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: github.com roleRef: @@ -594,11 +565,11 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: workflow-default-binding + name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: executor subjects: - kind: ServiceAccount name: default @@ -629,19 +600,6 @@ subjects: name: argo-server namespace: argo --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubelet-executor-default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubelet-executor -subjects: -- kind: ServiceAccount - name: default - namespace: argo ---- apiVersion: v1 data: default-v1: | diff --git a/manifests/quick-start/base/agent-default-rolebinding.yaml b/manifests/quick-start/base/agent-default-rolebinding.yaml new file mode 100644 index 000000000000..f22f07123d31 --- /dev/null +++ b/manifests/quick-start/base/agent-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: + - kind: ServiceAccount + name: default diff --git a/manifests/quick-start/base/agent-role.yaml b/manifests/quick-start/base/agent-role.yaml new file mode 100644 index 000000000000..491694f20279 --- /dev/null +++ b/manifests/quick-start/base/agent-role.yaml @@ -0,0 +1,17 @@ +# https://argoproj.github.io/argo-workflows/workflow-rbac/ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: agent + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch diff --git a/manifests/quick-start/base/executor-default-rolebinding.yaml b/manifests/quick-start/base/executor-default-rolebinding.yaml new file mode 100644 index 000000000000..124c7ca315a7 --- /dev/null +++ b/manifests/quick-start/base/executor-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: + - kind: ServiceAccount + name: default diff --git a/manifests/quick-start/base/executor-rbac/docker/executor-role.yaml b/manifests/quick-start/base/executor-rbac/docker/executor-role.yaml new file mode 100644 index 000000000000..2c2cf84d6f89 --- /dev/null +++ b/manifests/quick-start/base/executor-rbac/docker/executor-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml b/manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml new file mode 100644 index 000000000000..2c2cf84d6f89 --- /dev/null +++ b/manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml b/manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml new file mode 100644 index 000000000000..d03081b3ac1f --- /dev/null +++ b/manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create diff --git a/manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml b/manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml new file mode 100644 index 000000000000..2c2cf84d6f89 --- /dev/null +++ b/manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/manifests/quick-start/base/kubelet-executor-clusterrole.yaml b/manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-clusterrole.yaml similarity index 100% rename from manifests/quick-start/base/kubelet-executor-clusterrole.yaml rename to manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-clusterrole.yaml diff --git a/manifests/quick-start/base/kubelet-executor-default-clusterrolebinding.yaml b/manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-default-clusterrolebinding.yaml similarity index 100% rename from manifests/quick-start/base/kubelet-executor-default-clusterrolebinding.yaml rename to manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-default-clusterrolebinding.yaml diff --git a/manifests/quick-start/base/executor-rbac/pns/executor-role.yaml b/manifests/quick-start/base/executor-rbac/pns/executor-role.yaml new file mode 100644 index 000000000000..2c2cf84d6f89 --- /dev/null +++ b/manifests/quick-start/base/executor-rbac/pns/executor-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/manifests/quick-start/base/kustomization.yaml b/manifests/quick-start/base/kustomization.yaml index b809453642d7..aa4be4a61819 100644 --- a/manifests/quick-start/base/kustomization.yaml +++ b/manifests/quick-start/base/kustomization.yaml @@ -6,10 +6,10 @@ resources: - minio - webhooks - argo-server-sso-secret.yaml - - workflow-role.yaml - - kubelet-executor-clusterrole.yaml - - kubelet-executor-default-clusterrolebinding.yaml - - workflow-default-rolebinding.yaml + - executor-rbac/emissary/executor-role.yaml + - executor-default-rolebinding.yaml + - workflow-manager-default-rolebinding.yaml + - agent-default-rolebinding.yaml - cluster-workflow-template-rbac.yaml - artifact-repositories-configmap.yaml diff --git a/manifests/quick-start/base/memoizer-default-rolebinding.yaml b/manifests/quick-start/base/memoizer-default-rolebinding.yaml new file mode 100644 index 000000000000..1f415115b36a --- /dev/null +++ b/manifests/quick-start/base/memoizer-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: memoizer-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: memoizer +subjects: + - kind: ServiceAccount + name: default diff --git a/manifests/quick-start/base/memoizer-role.yaml b/manifests/quick-start/base/memoizer-role.yaml new file mode 100644 index 000000000000..d5cb71c74671 --- /dev/null +++ b/manifests/quick-start/base/memoizer-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: memoizer + annotations: + workflows.argoproj.io/description: | + Only needed if you are using ConfigMap-based cache for memoization. +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update diff --git a/manifests/quick-start/base/workflow-default-rolebinding.yaml b/manifests/quick-start/base/workflow-default-rolebinding.yaml index 9cca04007764..cb930cfb27a7 100644 --- a/manifests/quick-start/base/workflow-default-rolebinding.yaml +++ b/manifests/quick-start/base/workflow-default-rolebinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: workflow subjects: - kind: ServiceAccount name: default diff --git a/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml b/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml new file mode 100644 index 000000000000..c2907623985e --- /dev/null +++ b/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: workflow-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: + - kind: ServiceAccount + name: default diff --git a/manifests/quick-start/base/workflow-manager.yaml b/manifests/quick-start/base/workflow-manager.yaml new file mode 100644 index 000000000000..d4e6606f52c3 --- /dev/null +++ b/manifests/quick-start/base/workflow-manager.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: workflow-manager + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service +rules: + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get \ No newline at end of file From cda24216e5566e08867c67b1645ec9d6a5b03b86 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Thu, 24 Feb 2022 14:54:01 -0800 Subject: [PATCH 2/9] fix: ok Signed-off-by: Alex Collins --- manifests/quick-start-minimal.yaml | 34 ++++++++++ manifests/quick-start-mysql.yaml | 34 ++++++++++ manifests/quick-start-postgres.yaml | 34 ++++++++++ manifests/quick-start/base/kustomization.yaml | 2 + ...anager.yaml => workflow-manager-role.yaml} | 0 manifests/quick-start/base/workflow-role.yaml | 63 ------------------- 6 files changed, 104 insertions(+), 63 deletions(-) rename manifests/quick-start/base/{workflow-manager.yaml => workflow-manager-role.yaml} (100%) delete mode 100644 manifests/quick-start/base/workflow-role.yaml diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index d453e62e689d..7123af1a5fcf 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -257,6 +257,23 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + name: agent +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: argo-role rules: @@ -469,6 +486,23 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argo-clusterworkflowtemplate-role diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 44752d352069..8f2770d3db48 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -257,6 +257,23 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + name: agent +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: argo-role rules: @@ -469,6 +486,23 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argo-clusterworkflowtemplate-role diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index ca61f8931c10..e990d1619373 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -257,6 +257,23 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + name: agent +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: argo-role rules: @@ -469,6 +486,23 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argo-clusterworkflowtemplate-role diff --git a/manifests/quick-start/base/kustomization.yaml b/manifests/quick-start/base/kustomization.yaml index aa4be4a61819..d8df086ad136 100644 --- a/manifests/quick-start/base/kustomization.yaml +++ b/manifests/quick-start/base/kustomization.yaml @@ -8,7 +8,9 @@ resources: - argo-server-sso-secret.yaml - executor-rbac/emissary/executor-role.yaml - executor-default-rolebinding.yaml + - workflow-manager-role.yaml - workflow-manager-default-rolebinding.yaml + - agent-role.yaml - agent-default-rolebinding.yaml - cluster-workflow-template-rbac.yaml - artifact-repositories-configmap.yaml diff --git a/manifests/quick-start/base/workflow-manager.yaml b/manifests/quick-start/base/workflow-manager-role.yaml similarity index 100% rename from manifests/quick-start/base/workflow-manager.yaml rename to manifests/quick-start/base/workflow-manager-role.yaml diff --git a/manifests/quick-start/base/workflow-role.yaml b/manifests/quick-start/base/workflow-role.yaml deleted file mode 100644 index 9fb60a955544..000000000000 --- a/manifests/quick-start/base/workflow-role.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# https://argoproj.github.io/argo-workflows/workflow-rbac/ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: workflow-role -rules: - # pod get/watch is used to identify the container IDs of the current pod - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location) - # This is ONLY needed if the step/task has outputs that are used by another step or task. - - patch - # logs get/watch are used to get the pods logs for script outputs, and for log archival - - apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch - # Only needed if you are running the `k8sapi` executor. - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - # Only needed if you are using ConfigMap-based cache for memoization. - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - update - # This allows one workflow to create another. - # This is only needed for resource templates. - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - create - - get - # This allows agent pod to update the taskset. - # This is only needed for http templates. - - apiGroups: - - argoproj.io - resources: - - workflowtasksets - - workflowtasksets/finalizers - verbs: - - list - - watch - - get - - update - - patch \ No newline at end of file From 7acf197c4fb753bdcad438d3291d3df38629b908 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Thu, 24 Feb 2022 16:28:14 -0800 Subject: [PATCH 3/9] fix: x Signed-off-by: Alex Collins --- Makefile | 2 +- manifests/quick-start-minimal.yaml | 5 +++- manifests/quick-start-mysql.yaml | 5 +++- manifests/quick-start-postgres.yaml | 5 +++- .../executor-rbac/emissary/executor-role.yaml | 11 ------- .../executor-rbac/kubelet/executor-role.yaml | 11 ------- .../base/executor-rbac/pns/executor-role.yaml | 11 ------- .../base/executor/docker/executor-role.yaml | 16 ++++++++++ .../emissary}/executor-role.yaml | 3 ++ .../base/executor/k8sapi/executor-role.yaml | 30 +++++++++++++++++++ .../base/executor/kubelet/executor-role.yaml | 16 ++++++++++ .../kubelet/kubelet-executor-clusterrole.yaml | 0 ...t-executor-default-clusterrolebinding.yaml | 0 .../pns}/executor-role.yaml | 8 +++-- manifests/quick-start/base/kustomization.yaml | 2 +- .../workflow-manager-default-rolebinding.yaml | 2 +- 16 files changed, 86 insertions(+), 41 deletions(-) delete mode 100644 manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml delete mode 100644 manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml delete mode 100644 manifests/quick-start/base/executor-rbac/pns/executor-role.yaml create mode 100644 manifests/quick-start/base/executor/docker/executor-role.yaml rename manifests/quick-start/base/{executor-rbac/docker => executor/emissary}/executor-role.yaml (57%) create mode 100644 manifests/quick-start/base/executor/k8sapi/executor-role.yaml create mode 100644 manifests/quick-start/base/executor/kubelet/executor-role.yaml rename manifests/quick-start/base/{executor-rbac => executor}/kubelet/kubelet-executor-clusterrole.yaml (100%) rename manifests/quick-start/base/{executor-rbac => executor}/kubelet/kubelet-executor-default-clusterrolebinding.yaml (100%) rename manifests/quick-start/base/{executor-rbac/k8sapi => executor/pns}/executor-role.yaml (58%) diff --git a/Makefile b/Makefile index 869e02a91594..77e173474b45 100644 --- a/Makefile +++ b/Makefile @@ -404,7 +404,7 @@ install: githooks ifneq ($(E2E_EXECUTOR),emissary) # only change the executor from the default it we need to kubectl patch cm/workflow-controller-configmap -p "{\"data\": {\"containerRuntimeExecutor\": \"$(E2E_EXECUTOR)\"}}" - kubectl apply -f manifests/quick-start/base/executor/$(E2E_EXECUTOR) -l app.kubernetes.io/part-of=argo + kubectl apply -f manifests/quick-start/base/executor/$(E2E_EXECUTOR) endif ifeq ($(PROFILE),stress) kubectl -n $(KUBE_NAMESPACE) apply -f test/stress/massive-workflow.yaml diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 7123af1a5fcf..193ba0a02a2b 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -452,6 +452,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. name: executor rules: - apiGroups: @@ -603,7 +606,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: executor + name: workflow-manager subjects: - kind: ServiceAccount name: default diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 8f2770d3db48..499b31ea4507 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -452,6 +452,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. name: executor rules: - apiGroups: @@ -603,7 +606,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: executor + name: workflow-manager subjects: - kind: ServiceAccount name: default diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index e990d1619373..c657e50205c1 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -452,6 +452,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. name: executor rules: - apiGroups: @@ -603,7 +606,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: executor + name: workflow-manager subjects: - kind: ServiceAccount name: default diff --git a/manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml b/manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml deleted file mode 100644 index 2c2cf84d6f89..000000000000 --- a/manifests/quick-start/base/executor-rbac/emissary/executor-role.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: executor -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - patch diff --git a/manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml b/manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml deleted file mode 100644 index 2c2cf84d6f89..000000000000 --- a/manifests/quick-start/base/executor-rbac/kubelet/executor-role.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: executor -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - patch diff --git a/manifests/quick-start/base/executor-rbac/pns/executor-role.yaml b/manifests/quick-start/base/executor-rbac/pns/executor-role.yaml deleted file mode 100644 index 2c2cf84d6f89..000000000000 --- a/manifests/quick-start/base/executor-rbac/pns/executor-role.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: executor -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - patch diff --git a/manifests/quick-start/base/executor/docker/executor-role.yaml b/manifests/quick-start/base/executor/docker/executor-role.yaml new file mode 100644 index 000000000000..69a6fe745325 --- /dev/null +++ b/manifests/quick-start/base/executor/docker/executor-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `docker` executor. + + This executor is superceded be the `emmisary` executor, so we do not recommend you use it anymore. +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch diff --git a/manifests/quick-start/base/executor-rbac/docker/executor-role.yaml b/manifests/quick-start/base/executor/emissary/executor-role.yaml similarity index 57% rename from manifests/quick-start/base/executor-rbac/docker/executor-role.yaml rename to manifests/quick-start/base/executor/emissary/executor-role.yaml index 2c2cf84d6f89..8f93206cf310 100644 --- a/manifests/quick-start/base/executor-rbac/docker/executor-role.yaml +++ b/manifests/quick-start/base/executor/emissary/executor-role.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. rules: - apiGroups: - "" diff --git a/manifests/quick-start/base/executor/k8sapi/executor-role.yaml b/manifests/quick-start/base/executor/k8sapi/executor-role.yaml new file mode 100644 index 000000000000..14134c471fb6 --- /dev/null +++ b/manifests/quick-start/base/executor/k8sapi/executor-role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for `k8siapi` executor. + + This executor is superceded be the `emmisary` executor, so we do not recommend you use it anymore. +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - patch + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get diff --git a/manifests/quick-start/base/executor/kubelet/executor-role.yaml b/manifests/quick-start/base/executor/kubelet/executor-role.yaml new file mode 100644 index 000000000000..1e77880d5941 --- /dev/null +++ b/manifests/quick-start/base/executor/kubelet/executor-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for `kubelet` executor. + + This executor is superceded be the `emmisary` executor, so we do not recommend you use it anymore. +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch \ No newline at end of file diff --git a/manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-clusterrole.yaml b/manifests/quick-start/base/executor/kubelet/kubelet-executor-clusterrole.yaml similarity index 100% rename from manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-clusterrole.yaml rename to manifests/quick-start/base/executor/kubelet/kubelet-executor-clusterrole.yaml diff --git a/manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-default-clusterrolebinding.yaml b/manifests/quick-start/base/executor/kubelet/kubelet-executor-default-clusterrolebinding.yaml similarity index 100% rename from manifests/quick-start/base/executor-rbac/kubelet/kubelet-executor-default-clusterrolebinding.yaml rename to manifests/quick-start/base/executor/kubelet/kubelet-executor-default-clusterrolebinding.yaml diff --git a/manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml b/manifests/quick-start/base/executor/pns/executor-role.yaml similarity index 58% rename from manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml rename to manifests/quick-start/base/executor/pns/executor-role.yaml index d03081b3ac1f..392999f5855a 100644 --- a/manifests/quick-start/base/executor-rbac/k8sapi/executor-role.yaml +++ b/manifests/quick-start/base/executor/pns/executor-role.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: executor + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for `pns` executor. rules: - apiGroups: - "" @@ -9,9 +12,10 @@ rules: - pods verbs: - patch + - watch - apiGroups: - "" resources: - - pods/exec + - pods/log verbs: - - create + - get \ No newline at end of file diff --git a/manifests/quick-start/base/kustomization.yaml b/manifests/quick-start/base/kustomization.yaml index d8df086ad136..df92c453f13a 100644 --- a/manifests/quick-start/base/kustomization.yaml +++ b/manifests/quick-start/base/kustomization.yaml @@ -6,7 +6,7 @@ resources: - minio - webhooks - argo-server-sso-secret.yaml - - executor-rbac/emissary/executor-role.yaml + - executor/emissary/executor-role.yaml - executor-default-rolebinding.yaml - workflow-manager-role.yaml - workflow-manager-default-rolebinding.yaml diff --git a/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml b/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml index c2907623985e..b2f8783f6827 100644 --- a/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml +++ b/manifests/quick-start/base/workflow-manager-default-rolebinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: executor + name: workflow-manager subjects: - kind: ServiceAccount name: default From 73b4ed8c7c775522f90f59806a6de8eccd6b48a5 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Thu, 24 Feb 2022 17:47:52 -0800 Subject: [PATCH 4/9] fix: x Signed-off-by: Alex Collins --- manifests/quick-start-minimal.yaml | 1 + manifests/quick-start-mysql.yaml | 1 + manifests/quick-start-postgres.yaml | 1 + manifests/quick-start/base/workflow-manager-role.yaml | 3 ++- 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 193ba0a02a2b..fb4d6f47892f 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -504,6 +504,7 @@ rules: verbs: - create - get + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 499b31ea4507..6ee8bfdfc8d8 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -504,6 +504,7 @@ rules: verbs: - create - get + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index c657e50205c1..08c58ac0492b 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -504,6 +504,7 @@ rules: verbs: - create - get + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/manifests/quick-start/base/workflow-manager-role.yaml b/manifests/quick-start/base/workflow-manager-role.yaml index d4e6606f52c3..d49b750d7a35 100644 --- a/manifests/quick-start/base/workflow-manager-role.yaml +++ b/manifests/quick-start/base/workflow-manager-role.yaml @@ -13,4 +13,5 @@ rules: - workflows verbs: - create - - get \ No newline at end of file + - get + - patch \ No newline at end of file From 9190eb9bec16465a1f549458273e6276d01edda0 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Fri, 25 Feb 2022 07:44:39 -0800 Subject: [PATCH 5/9] fix: x Signed-off-by: Alex Collins --- manifests/quick-start-minimal.yaml | 30 ++++++++++++++++++- manifests/quick-start-mysql.yaml | 30 ++++++++++++++++++- manifests/quick-start-postgres.yaml | 30 ++++++++++++++++++- manifests/quick-start/base/kustomization.yaml | 2 ++ .../base/pod-manager-default-rolebinding.yaml | 11 +++++++ .../quick-start/base/pod-manager-role.yaml | 16 ++++++++++ .../base/workflow-manager-role.yaml | 3 +- 7 files changed, 117 insertions(+), 5 deletions(-) create mode 100644 manifests/quick-start/base/pod-manager-default-rolebinding.yaml create mode 100644 manifests/quick-start/base/pod-manager-role.yaml diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index fb4d6f47892f..830fdef7ed79 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -466,6 +466,23 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: submit-workflow-template rules: @@ -504,7 +521,6 @@ rules: verbs: - create - get - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -602,6 +618,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: pod-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-manager +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: workflow-manager-default roleRef: diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 6ee8bfdfc8d8..1d7be5b3e799 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -466,6 +466,23 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: submit-workflow-template rules: @@ -504,7 +521,6 @@ rules: verbs: - create - get - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -602,6 +618,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: pod-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-manager +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: workflow-manager-default roleRef: diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index 08c58ac0492b..7c0c9d477250 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -466,6 +466,23 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: submit-workflow-template rules: @@ -504,7 +521,6 @@ rules: verbs: - create - get - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -602,6 +618,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: pod-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-manager +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: workflow-manager-default roleRef: diff --git a/manifests/quick-start/base/kustomization.yaml b/manifests/quick-start/base/kustomization.yaml index df92c453f13a..f8d0da97f921 100644 --- a/manifests/quick-start/base/kustomization.yaml +++ b/manifests/quick-start/base/kustomization.yaml @@ -8,6 +8,8 @@ resources: - argo-server-sso-secret.yaml - executor/emissary/executor-role.yaml - executor-default-rolebinding.yaml + - pod-manager-role.yaml + - pod-manager-default-rolebinding.yaml - workflow-manager-role.yaml - workflow-manager-default-rolebinding.yaml - agent-role.yaml diff --git a/manifests/quick-start/base/pod-manager-default-rolebinding.yaml b/manifests/quick-start/base/pod-manager-default-rolebinding.yaml new file mode 100644 index 000000000000..42587b643a02 --- /dev/null +++ b/manifests/quick-start/base/pod-manager-default-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-manager-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-manager +subjects: + - kind: ServiceAccount + name: default diff --git a/manifests/quick-start/base/pod-manager-role.yaml b/manifests/quick-start/base/pod-manager-role.yaml new file mode 100644 index 000000000000..e9196fffad25 --- /dev/null +++ b/manifests/quick-start/base/pod-manager-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-manager + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - get \ No newline at end of file diff --git a/manifests/quick-start/base/workflow-manager-role.yaml b/manifests/quick-start/base/workflow-manager-role.yaml index d49b750d7a35..d4e6606f52c3 100644 --- a/manifests/quick-start/base/workflow-manager-role.yaml +++ b/manifests/quick-start/base/workflow-manager-role.yaml @@ -13,5 +13,4 @@ rules: - workflows verbs: - create - - get - - patch \ No newline at end of file + - get \ No newline at end of file From 44849f7cb65f17c28383321881eb4bf40b70f873 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Fri, 25 Feb 2022 08:14:06 -0800 Subject: [PATCH 6/9] fix: x Signed-off-by: Alex Collins --- hack/test-examples.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hack/test-examples.sh b/hack/test-examples.sh index 9cc95faecbe1..62cb4acad5b5 100755 --- a/hack/test-examples.sh +++ b/hack/test-examples.sh @@ -3,6 +3,8 @@ set -eu -o pipefail # Load the configmaps that contains the parameter values used for certain examples. kubectl apply -f examples/configmaps/simple-parameters-configmap.yaml +# Needed for examples/selected-executor-workflow.yaml. +kubectl apply -f manifests/quick-start/base/executor/pns/executor-role.yaml echo "Checking for banned images..." grep -lR 'workflows.argoproj.io/test' examples/* | while read f ; do From 68a401fca012d97044e124219c73d85398c761c3 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Fri, 25 Feb 2022 08:40:14 -0800 Subject: [PATCH 7/9] fix: x Signed-off-by: Alex Collins --- docs/workflow-rbac.md | 5 +++-- .../quick-start/base/executor/docker/executor-role.yaml | 4 ++-- .../quick-start/base/executor/k8sapi/executor-role.yaml | 4 ++-- .../quick-start/base/executor/kubelet/executor-role.yaml | 4 ++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/workflow-rbac.md b/docs/workflow-rbac.md index 80237c758b41..d394126df0fc 100644 --- a/docs/workflow-rbac.md +++ b/docs/workflow-rbac.md @@ -1,3 +1,4 @@ + # Workflow RBAC All pods in a workflow run with the service account specified in `workflow.spec.serviceAccountName`, or if omitted, @@ -5,8 +6,8 @@ the `default` service account of the workflow's namespace. The amount of access what the workflow needs to do. For example, if your workflow needs to deploy a resource, then the workflow's service account will require 'create' privileges on that resource. -Tip: We do not recommend using the `default` service account in production. It is a shared account an may have -permissions added to it you do not want. Instead, create a service account only your workflow. +**Warning**: We do not recommend using the `default` service account in production. It is a shared account so may have +permissions added to it you do not want. Instead, create a service account only for your workflow. The minimum for the executor to function: diff --git a/manifests/quick-start/base/executor/docker/executor-role.yaml b/manifests/quick-start/base/executor/docker/executor-role.yaml index 69a6fe745325..77706a6cce0e 100644 --- a/manifests/quick-start/base/executor/docker/executor-role.yaml +++ b/manifests/quick-start/base/executor/docker/executor-role.yaml @@ -4,9 +4,9 @@ metadata: name: executor annotations: workflows.argoproj.io/description: | - Recomended minimum permissions for the `docker` executor. + Recommended minimum permissions for the `docker` executor. - This executor is superceded be the `emmisary` executor, so we do not recommend you use it anymore. + This executor is superseded by the `emmisary` executor, so we do not recommend you use it anymore. rules: - apiGroups: - "" diff --git a/manifests/quick-start/base/executor/k8sapi/executor-role.yaml b/manifests/quick-start/base/executor/k8sapi/executor-role.yaml index 14134c471fb6..88c113b2194a 100644 --- a/manifests/quick-start/base/executor/k8sapi/executor-role.yaml +++ b/manifests/quick-start/base/executor/k8sapi/executor-role.yaml @@ -4,9 +4,9 @@ metadata: name: executor annotations: workflows.argoproj.io/description: | - Recomended minimum permissions for `k8siapi` executor. + Recommended minimum permissions for `k8siapi` executor. - This executor is superceded be the `emmisary` executor, so we do not recommend you use it anymore. + This executor is superseded by the `emmisary` executor, so we do not recommend you use it anymore. rules: - apiGroups: - "" diff --git a/manifests/quick-start/base/executor/kubelet/executor-role.yaml b/manifests/quick-start/base/executor/kubelet/executor-role.yaml index 1e77880d5941..d3d2e11d3a8f 100644 --- a/manifests/quick-start/base/executor/kubelet/executor-role.yaml +++ b/manifests/quick-start/base/executor/kubelet/executor-role.yaml @@ -4,9 +4,9 @@ metadata: name: executor annotations: workflows.argoproj.io/description: | - Recomended minimum permissions for `kubelet` executor. + Recommended minimum permissions for `kubelet` executor. - This executor is superceded be the `emmisary` executor, so we do not recommend you use it anymore. + This executor is superseded by the `emmisary` executor, so we do not recommend you use it anymore. rules: - apiGroups: - "" From fd24edec6f9e4fd2b822356d44a268aa876ae728 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Fri, 25 Feb 2022 09:32:05 -0800 Subject: [PATCH 8/9] fix: x Signed-off-by: Alex Collins --- docs/security.md | 7 +- manifests/quick-start-minimal.yaml | 159 +++++++++++++++------------- manifests/quick-start-mysql.yaml | 159 +++++++++++++++------------- manifests/quick-start-postgres.yaml | 159 +++++++++++++++------------- 4 files changed, 265 insertions(+), 219 deletions(-) diff --git a/docs/security.md b/docs/security.md index e93edad45dee..9a9571ace27b 100644 --- a/docs/security.md +++ b/docs/security.md @@ -38,12 +38,7 @@ Workflow pods run using either: There is no restriction on which service account in a namespace may be used. -This service account typically needs the following permissions: - -* Get/watch/patch pods. -* Get/watch pod logs. - -See [workflow-role.yaml](https://raw.githubusercontent.com/argoproj/argo-workflows/master/manifests/quick-start/base/workflow-role.yaml). +This service account typically needs [permissions](workflow-rbac.md). Different service accounts should be used if a workflow pod needs to have elevated permissions, e.g. to create other resources. diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 807155af6736..ed8e0d25ee5c 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -259,6 +259,23 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + name: agent +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: argo-role rules: @@ -437,86 +454,75 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: submit-workflow-template + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor rules: - apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - - list -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - pods verbs: - - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager rules: - apiGroups: - "" resources: - pods verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: + - create - get - - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: submit-workflow-template +rules: - apiGroups: - - "" + - argoproj.io resources: - - pods/exec + - workfloweventbindings verbs: - - create + - list - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - workflowtemplates verbs: - - create - get - - update - apiGroups: - argoproj.io resources: - workflows verbs: - create - - get -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - verbs: - - list - - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: - apiGroups: - argoproj.io resources: - - workflowtasksets/status + - workflows verbs: - - patch + - create + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -552,16 +558,16 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: kubelet-executor -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: +- kind: ServiceAccount + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -589,6 +595,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: github.com roleRef: @@ -603,52 +621,51 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: workflow-default-binding + name: pod-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: pod-manager subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: argo-clusterworkflowtemplate-role-binding + name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-clusterworkflowtemplate-role + kind: Role + name: workflow-manager subjects: - kind: ServiceAccount - name: argo - namespace: argo + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-server-clusterworkflowtemplate-role-binding + name: argo-clusterworkflowtemplate-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-server-clusterworkflowtemplate-role + name: argo-clusterworkflowtemplate-role subjects: - kind: ServiceAccount - name: argo-server + name: argo namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kubelet-executor-default + name: argo-server-clusterworkflowtemplate-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kubelet-executor + name: argo-server-clusterworkflowtemplate-role subjects: - kind: ServiceAccount - name: default + name: argo-server namespace: argo --- apiVersion: v1 diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 599865b1276f..16c425d539dd 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -259,6 +259,23 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + name: agent +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: argo-role rules: @@ -437,86 +454,75 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: submit-workflow-template + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor rules: - apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - - list -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - pods verbs: - - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager rules: - apiGroups: - "" resources: - pods verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: + - create - get - - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: submit-workflow-template +rules: - apiGroups: - - "" + - argoproj.io resources: - - pods/exec + - workfloweventbindings verbs: - - create + - list - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - workflowtemplates verbs: - - create - get - - update - apiGroups: - argoproj.io resources: - workflows verbs: - create - - get -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - verbs: - - list - - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: - apiGroups: - argoproj.io resources: - - workflowtasksets/status + - workflows verbs: - - patch + - create + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -552,16 +558,16 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: kubelet-executor -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: +- kind: ServiceAccount + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -589,6 +595,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: github.com roleRef: @@ -603,52 +621,51 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: workflow-default-binding + name: pod-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: pod-manager subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: argo-clusterworkflowtemplate-role-binding + name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-clusterworkflowtemplate-role + kind: Role + name: workflow-manager subjects: - kind: ServiceAccount - name: argo - namespace: argo + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-server-clusterworkflowtemplate-role-binding + name: argo-clusterworkflowtemplate-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-server-clusterworkflowtemplate-role + name: argo-clusterworkflowtemplate-role subjects: - kind: ServiceAccount - name: argo-server + name: argo namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kubelet-executor-default + name: argo-server-clusterworkflowtemplate-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kubelet-executor + name: argo-server-clusterworkflowtemplate-role subjects: - kind: ServiceAccount - name: default + name: argo-server namespace: argo --- apiVersion: v1 diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index d8c5f6e67a56..5406a162d65c 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -259,6 +259,23 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + name: agent +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: argo-role rules: @@ -437,86 +454,75 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: submit-workflow-template + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor rules: - apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - - list -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - pods verbs: - - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: workflow-role + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager rules: - apiGroups: - "" resources: - pods verbs: - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: + - create - get - - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: submit-workflow-template +rules: - apiGroups: - - "" + - argoproj.io resources: - - pods/exec + - workfloweventbindings verbs: - - create + - list - apiGroups: - - "" + - argoproj.io resources: - - configmaps + - workflowtemplates verbs: - - create - get - - update - apiGroups: - argoproj.io resources: - workflows verbs: - create - - get -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - verbs: - - list - - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: - apiGroups: - argoproj.io resources: - - workflowtasksets/status + - workflows verbs: - - patch + - create + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -552,16 +558,16 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: kubelet-executor -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get + name: agent-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent +subjects: +- kind: ServiceAccount + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -589,6 +595,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: name: github.com roleRef: @@ -603,52 +621,51 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: workflow-default-binding + name: pod-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: workflow-role + name: pod-manager subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: argo-clusterworkflowtemplate-role-binding + name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-clusterworkflowtemplate-role + kind: Role + name: workflow-manager subjects: - kind: ServiceAccount - name: argo - namespace: argo + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-server-clusterworkflowtemplate-role-binding + name: argo-clusterworkflowtemplate-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-server-clusterworkflowtemplate-role + name: argo-clusterworkflowtemplate-role subjects: - kind: ServiceAccount - name: argo-server + name: argo namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kubelet-executor-default + name: argo-server-clusterworkflowtemplate-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kubelet-executor + name: argo-server-clusterworkflowtemplate-role subjects: - kind: ServiceAccount - name: default + name: argo-server namespace: argo --- apiVersion: v1 From 1399aa904bbb64973d3615872658d279be3b03a6 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Fri, 25 Feb 2022 12:34:04 -0800 Subject: [PATCH 9/9] fix: x Signed-off-by: Alex Collins --- manifests/quick-start-minimal.yaml | 7 +++++++ manifests/quick-start-mysql.yaml | 7 +++++++ manifests/quick-start-postgres.yaml | 7 +++++++ manifests/quick-start/base/agent-role.yaml | 7 +++++++ workflow/executor/agent.go | 2 +- 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index ed8e0d25ee5c..baa5ce4e723c 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -263,6 +263,8 @@ metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + + If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. name: agent rules: - apiGroups: @@ -272,6 +274,11 @@ rules: verbs: - list - watch +- apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 16c425d539dd..b94b85b0f868 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -263,6 +263,8 @@ metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + + If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. name: agent rules: - apiGroups: @@ -272,6 +274,11 @@ rules: verbs: - list - watch +- apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index 5406a162d65c..288ad57727d0 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -263,6 +263,8 @@ metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + + If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. name: agent rules: - apiGroups: @@ -272,6 +274,11 @@ rules: verbs: - list - watch +- apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/quick-start/base/agent-role.yaml b/manifests/quick-start/base/agent-role.yaml index 491694f20279..6f7f52ed121b 100644 --- a/manifests/quick-start/base/agent-role.yaml +++ b/manifests/quick-start/base/agent-role.yaml @@ -6,6 +6,8 @@ metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. + + If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. rules: - apiGroups: - argoproj.io @@ -14,4 +16,9 @@ rules: verbs: - list - watch + - apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + verbs: - patch diff --git a/workflow/executor/agent.go b/workflow/executor/agent.go index 0443738c0764..0ab463954b43 100644 --- a/workflow/executor/agent.go +++ b/workflow/executor/agent.go @@ -187,7 +187,7 @@ func (ae *AgentExecutor) patchWorker(ctx context.Context, taskSetInterface v1alp }, errors.IsTransientErr, func() error { _, err := taskSetInterface.Patch(ctx, ae.WorkflowName, types.MergePatchType, patch, metav1.PatchOptions{}, "status") if apierr.IsForbidden(err) { - ae.log.Warn("forbidden to patch workflowtaskset/status, falling back to less secure patching workflowtaskset, please updated your agent's RBAC") + ae.log.WithError(err).Warn("falling back to less secure patching workflowtaskset, please updated your agent's RBAC") _, err = taskSetInterface.Patch(ctx, ae.WorkflowName, types.MergePatchType, patch, metav1.PatchOptions{}) } return err