From c08fc230d75c85b2c9a07138c5c7b7bc957b98df Mon Sep 17 00:00:00 2001
From: Vlad Losev <vladlosev@users.noreply.github.com>
Date: Thu, 9 Feb 2023 21:31:49 -0800
Subject: [PATCH] fix(argo-workflows): clean subresource permissions (#1835)

---
 charts/argo-workflows/Chart.yaml                         | 4 ++--
 .../controller/workflow-controller-cluster-roles.yaml    | 7 ++++++-
 .../templates/server/server-cluster-roles.yaml           | 9 +++++++--
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml
index 8ba37092..0fe6953a 100644
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: v3.4.5
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.22.10
+version: 0.22.11
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -14,4 +14,4 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: Upgrade Argo Workflows to v3.4.5
+      description: Cleaned RBAC permissions for subresources (pods/log, pods/exec).
diff --git a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
index 34f91c0d..bb08306b 100644
--- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
@@ -14,7 +14,6 @@ rules:
   - ""
   resources:
   - pods
-  - pods/exec
   verbs:
   - create
   - get
@@ -23,6 +22,12 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
 - apiGroups:
   - ""
   resources:
diff --git a/charts/argo-workflows/templates/server/server-cluster-roles.yaml b/charts/argo-workflows/templates/server/server-cluster-roles.yaml
index c3c4e688..c7d18f50 100644
--- a/charts/argo-workflows/templates/server/server-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/server/server-cluster-roles.yaml
@@ -23,13 +23,18 @@ rules:
   - ""
   resources:
   - pods
-  - pods/exec
-  - pods/log
   verbs:
   - get
   - list
   - watch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+  - list
 {{- if .Values.server.sso }}
 - apiGroups:
   - ""