Moves ClusterWorkflowTemplate permissions into separate roles.
This commit is contained in:
Vlad Losev
parent
cbb27bbfc8
commit
8439694208
5 changed files with 64 additions and 1 deletions
|
|
@ -52,7 +52,6 @@ rules:
|
||||||
- workflows
|
- workflows
|
||||||
- workflowtemplates
|
- workflowtemplates
|
||||||
- cronworkflows
|
- cronworkflows
|
||||||
- clusterworkflowtemplates
|
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
- get
|
- get
|
||||||
|
|
@ -61,4 +60,24 @@ rules:
|
||||||
- update
|
- update
|
||||||
- patch
|
- patch
|
||||||
- delete
|
- delete
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template-cluster-role
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- argoproj.io
|
||||||
|
resources:
|
||||||
|
- clusterworkflowtemplates
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
{{- if .Values.server.clusterWorkflowTemplates.enableEditing }}
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- patch
|
||||||
|
- delete
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
@ -19,4 +19,17 @@ subjects:
|
||||||
{{- if not .Values.singleNamespace }}
|
{{- if not .Values.singleNamespace }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-{{ .Values.server.name}}-crb
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template-cluster-role
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ .Values.server.serviceAccount }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
||||||
|
|
@ -97,3 +97,18 @@ rules:
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
{{- end}}
|
{{- end}}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-cluster-role
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- argoproj.io
|
||||||
|
resources:
|
||||||
|
- clusterworkflowtemplates
|
||||||
|
- clusterworkflowtemplates/finalizers
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
|
@ -27,3 +27,16 @@ subjects:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-binding
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-cluster-role
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ .Values.controller.serviceAccount }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
|
|
||||||
|
|
@ -190,6 +190,9 @@ server:
|
||||||
# - secretName: argo-ui-tls
|
# - secretName: argo-ui-tls
|
||||||
# hosts:
|
# hosts:
|
||||||
# - argo.domain.com
|
# - argo.domain.com
|
||||||
|
clusterWorkflowTemplates:
|
||||||
|
# Give the server permissions to edit ClusterWorkflowTemplates.
|
||||||
|
enableEditing: true
|
||||||
|
|
||||||
# Influences the creation of the ConfigMap for the workflow-controller itself.
|
# Influences the creation of the ConfigMap for the workflow-controller itself.
|
||||||
useDefaultArtifactRepo: false
|
useDefaultArtifactRepo: false
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue