123456789101112131415161718192021222324252627282930313233343536373839404142 |
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: workflow
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: workflow-role
- rules:
- # pod get/watch is used to identify the container IDs of the current pod
- # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - watch
- - patch
- # logs get/watch are used to get the pods logs for script outputs, and for log archival
- - apiGroups:
- - ""
- resources:
- - pods/log
- - nodes
- - nodes/proxy
- verbs:
- - get
- - watch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: argo-workflow-binding
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: workflow-role
- subjects:
- - kind: ServiceAccount
- name: workflow
|