mod

argoworkflow/001-workflow-acount.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: workflow
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: workflow-role
+rules:
+  # pod get/watch is used to identify the container IDs of the current pod
+  # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - patch
+  # logs get/watch are used to get the pods logs for script outputs, and for log archival
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: workflow-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: workflow

argoworkflow/03-sensor-github.yaml

@@ -28,6 +28,7 @@ spec:
               metadata:
                 generateName: github-
               spec:
+                serviceAccountName: workflow
                 entrypoint: whalesay
                 arguments:
                   parameters: