From 84396942085d3ee26f7ca9d6e3d9d6a0898b3b99 Mon Sep 17 00:00:00 2001 From: Vlad Losev Date: Fri, 15 May 2020 13:10:41 -0700 Subject: [PATCH] Moves ClusterWorkflowTemplate permissions into separate roles. --- ...er-role.yaml => server-cluster-roles.yaml} | 21 ++++++++++++++++++- charts/argo/templates/server-crb.yaml | 13 ++++++++++++ ...=> workflow-controller-cluster-roles.yaml} | 15 +++++++++++++ .../templates/workflow-controller-crb.yaml | 13 ++++++++++++ charts/argo/values.yaml | 3 +++ 5 files changed, 64 insertions(+), 1 deletion(-) rename charts/argo/templates/{server-cluster-role.yaml => server-cluster-roles.yaml} (76%) rename charts/argo/templates/{workflow-controller-clusterrole.yaml => workflow-controller-cluster-roles.yaml} (84%) diff --git a/charts/argo/templates/server-cluster-role.yaml b/charts/argo/templates/server-cluster-roles.yaml similarity index 76% rename from charts/argo/templates/server-cluster-role.yaml rename to charts/argo/templates/server-cluster-roles.yaml index 45a195ba..67ee9fbc 100644 --- a/charts/argo/templates/server-cluster-role.yaml +++ b/charts/argo/templates/server-cluster-roles.yaml @@ -52,7 +52,6 @@ rules: - workflows - workflowtemplates - cronworkflows - - clusterworkflowtemplates verbs: - create - get @@ -61,4 +60,24 @@ rules: - update - patch - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template-cluster-role +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + verbs: + - get + - list + - watch + {{- if .Values.server.clusterWorkflowTemplates.enableEditing }} + - create + - update + - patch + - delete + {{- end }} {{- end }} diff --git a/charts/argo/templates/server-crb.yaml b/charts/argo/templates/server-crb.yaml index df919b21..fc76740f 100644 --- a/charts/argo/templates/server-crb.yaml +++ b/charts/argo/templates/server-crb.yaml @@ -19,4 +19,17 @@ subjects: {{- if not .Values.singleNamespace }} namespace: {{ .Release.Namespace }} {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Values.server.name}}-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template-cluster-role +subjects: +- kind: ServiceAccount + name: {{ .Values.server.serviceAccount }} + namespace: {{ .Release.Namespace }} {{- end -}} diff --git a/charts/argo/templates/workflow-controller-clusterrole.yaml b/charts/argo/templates/workflow-controller-cluster-roles.yaml similarity index 84% rename from charts/argo/templates/workflow-controller-clusterrole.yaml rename to charts/argo/templates/workflow-controller-cluster-roles.yaml index c8c1b3d4..1a1deeb3 100644 --- a/charts/argo/templates/workflow-controller-clusterrole.yaml +++ b/charts/argo/templates/workflow-controller-cluster-roles.yaml @@ -97,3 +97,18 @@ rules: verbs: - get {{- end}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-cluster-role +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch diff --git a/charts/argo/templates/workflow-controller-crb.yaml b/charts/argo/templates/workflow-controller-crb.yaml index 93983812..80f0a102 100644 --- a/charts/argo/templates/workflow-controller-crb.yaml +++ b/charts/argo/templates/workflow-controller-crb.yaml @@ -27,3 +27,16 @@ subjects: {{- end }} {{- end }} {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-cluster-role +subjects: + - kind: ServiceAccount + name: {{ .Values.controller.serviceAccount }} + namespace: {{ .Release.Namespace }} diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 7ab0aae5..7f0eead3 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -190,6 +190,9 @@ server: # - secretName: argo-ui-tls # hosts: # - argo.domain.com + clusterWorkflowTemplates: + # Give the server permissions to edit ClusterWorkflowTemplates. + enableEditing: true # Influences the creation of the ConfigMap for the workflow-controller itself. useDefaultArtifactRepo: false