docs: Split out executor/agent roles in quick-start RBAC.

Makefile

@@ -404,6 +404,7 @@ install: githooks
 ifneq ($(E2E_EXECUTOR),emissary)
 	# only change the executor from the default it we need to
 	kubectl patch cm/workflow-controller-configmap -p "{\"data\": {\"containerRuntimeExecutor\": \"$(E2E_EXECUTOR)\"}}"
+	kubectl apply -f manifests/quick-start/base/executor/$(E2E_EXECUTOR)
 endif
 ifeq ($(PROFILE),stress)
 	kubectl -n $(KUBE_NAMESPACE) apply -f test/stress/massive-workflow.yaml

docs/workflow-rbac.md

@@ -1,35 +1,30 @@
 # Workflow RBAC
 
-All pods in a workflow run with the service account specified in `workflow.spec.serviceAccountName`,
-or if omitted, the `default` service account of the workflow's namespace. The amount of access which
-a workflow needs is dependent on what the workflow needs to do. For example, if your workflow needs
-to deploy a resource, then the workflow's service account will require 'create' privileges on that
-resource.
+All pods in a workflow run with the service account specified in `workflow.spec.serviceAccountName`, or if omitted,
+the `default` service account of the workflow's namespace. The amount of access which a workflow needs is dependent on
+what the workflow needs to do. For example, if your workflow needs to deploy a resource, then the workflow's service
+account will require 'create' privileges on that resource.
 
-The bare minimum for a workflow to function is outlined below:
+Tip: We do not recommend using the `default` service account in production. It is a shared account an may have
+permissions added to it you do not want. Instead, create a service account only your workflow.
+
+The minimum for the executor to function:
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: workflow-role
+  name: executor
 rules:
-# pod get/watch is used to identify the container IDs of the current pod
-# pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - watch
-  - patch
-# logs get/watch are used to get the pods logs for script outputs, and for log archival
-- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - patch
 ```
+
+If you are not using the emissary, you'll need additional permissions.
+See [executor](https://github.com/argoproj/argo-workflows/tree/master/manifests/quick-start/base/executor) for suitable
+permissions.

hack/test-examples.sh

@@ -3,6 +3,8 @@ set -eu -o pipefail
 
 # Load the configmaps that contains the parameter values used for certain examples.
 kubectl apply -f examples/configmaps/simple-parameters-configmap.yaml
+# Needed for examples/selected-executor-workflow.yaml.
+kubectl apply -f manifests/quick-start/base/executor/pns/executor-role.yaml
 
 echo "Checking for banned images..."
 grep -lR 'workflows.argoproj.io/test' examples/*  | while read f ; do

manifests/quick-start-minimal.yaml

@@ -257,6 +257,23 @@ metadata:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
+  name: agent
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtasksets
+  verbs:
+  - list
+  - watch
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: argo-role
 rules:
@@ -435,79 +452,75 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: submit-workflow-template
+  annotations:
+    workflows.argoproj.io/description: |
+      Recomended minimum permissions for the `emissary` executor.
+  name: executor
 rules:
 - apiGroups:
-  - argoproj.io
-  resources:
-  - workfloweventbindings
-  verbs:
-  - list
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflowtemplates
-  verbs:
-  - get
-- apiGroups:
-  - argoproj.io
+  - ""
   resources:
-  - workflows
+  - pods
   verbs:
-  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: workflow-role
+  annotations:
+    workflows.argoproj.io/description: |
+      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
+      other pods. The same pattern would be suitable for other resurces, e.g. a service
+  name: pod-manager
 rules:
 - apiGroups:
   - ""
   resources:
   - pods
   verbs:
+  - create
   - get
-  - watch
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: submit-workflow-template
+rules:
 - apiGroups:
-  - ""
+  - argoproj.io
   resources:
-  - pods/exec
+  - workfloweventbindings
   verbs:
-  - create
+  - list
 - apiGroups:
-  - ""
+  - argoproj.io
   resources:
-  - configmaps
+  - workflowtemplates
   verbs:
-  - create
   - get
-  - update
 - apiGroups:
   - argoproj.io
   resources:
   - workflows
   verbs:
   - create
-  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
+      other workflows. The same pattern would be suitable for other resurces, e.g. a service
+  name: workflow-manager
+rules:
 - apiGroups:
   - argoproj.io
   resources:
-  - workflowtasksets
-  - workflowtasksets/finalizers
+  - workflows
   verbs:
-  - list
-  - watch
+  - create
   - get
-  - update
-  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -543,16 +556,16 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: RoleBinding
 metadata:
-  name: kubelet-executor
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - nodes/proxy
-  verbs:
-  - get
+  name: agent-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: agent
+subjects:
+- kind: ServiceAccount
+  name: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -580,6 +593,18 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  name: executor-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: executor
+subjects:
+- kind: ServiceAccount
+  name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   name: github.com
 roleRef:
@@ -594,52 +619,51 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: workflow-default-binding
+  name: pod-manager-default
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: workflow-role
+  name: pod-manager
 subjects:
 - kind: ServiceAccount
   name: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: argo-clusterworkflowtemplate-role-binding
+  name: workflow-manager-default
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: argo-clusterworkflowtemplate-role
+  kind: Role
+  name: workflow-manager
 subjects:
 - kind: ServiceAccount
-  name: argo
-  namespace: argo
+  name: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: argo-server-clusterworkflowtemplate-role-binding
+  name: argo-clusterworkflowtemplate-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: argo-server-clusterworkflowtemplate-role
+  name: argo-clusterworkflowtemplate-role
 subjects:
 - kind: ServiceAccount
-  name: argo-server
+  name: argo
   namespace: argo
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kubelet-executor-default
+  name: argo-server-clusterworkflowtemplate-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: kubelet-executor
+  name: argo-server-clusterworkflowtemplate-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: argo-server
   namespace: argo
 ---
 apiVersion: v1