020-workflow-acount.yaml 916 B

12345678910111213141516171819202122232425262728293031323334353637383940414243
  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4. name: workflow
  5. ---
  6. apiVersion: rbac.authorization.k8s.io/v1
  7. kind: Role
  8. metadata:
  9. name: workflow-role
  10. rules:
  11. # pod get/watch is used to identify the container IDs of the current pod
  12. # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
  13. - apiGroups:
  14. - ""
  15. resources:
  16. - pods
  17. verbs:
  18. - get
  19. - watch
  20. - patch
  21. # logs get/watch are used to get the pods logs for script outputs, and for log archival
  22. - apiGroups:
  23. - ""
  24. resources:
  25. - pods/log
  26. - nodes
  27. - nodes/proxy
  28. verbs:
  29. - get
  30. - watch
  31. ---
  32. apiVersion: rbac.authorization.k8s.io/v1
  33. kind: RoleBinding
  34. metadata:
  35. name: argo-workflow-binding
  36. roleRef:
  37. apiGroup: rbac.authorization.k8s.io
  38. kind: Role
  39. name: workflow-role
  40. subjects:
  41. - kind: ServiceAccount
  42. name: workflow
  43. namespace: default