fix(argo-rbac): Fix Argocd Role and Rolebinding for missing VS group (#2)

2022-05-19 12:40:24 -06:00 · 2022-05-19 12:40:24 -06:00 · d4376407a7
commit d4376407a7
parent bf82441ac3
2 changed files with 226 additions and 2 deletions
--- a/charts/argo-cd/templates/argocd-application-controller/coreweave-role.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/coreweave-role.yaml
@ -0,0 +1,224 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-full-access
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - apps
+      - networking.k8s.io
+    resources:
+      - pods
+      - pods/log
+      - pods/portforward
+      - pods/exec
+      - pods/attach
+      - configmaps
+      - endpoints
+      - events
+      - limitranges
+      - persistentvolumeclaims
+      - persistentvolumeclaims/finalizers
+      - podtemplates
+      - replicationcontrollers
+      - secrets
+      - services
+      - controllerrevisions
+      - deployments
+      - deployments/status
+      - replicasets
+      - statefulsets
+      - applications
+      - ingresses
+      - ingresses/status
+      - networkpolicies
+      - poddisruptionbudgets
+      - serviceaccounts
+      - deployments/scale
+      - statefulsets/scale
+    verbs:
+      - '*'
+  - apiGroups:
+      - bitnami.com
+    resources:
+      - sealedsecrets
+    verbs:
+      - '*'
+  - apiGroups:
+      - virtualservers.coreweave.com
+    resources:
+      - virtualservers
+    verbs:
+      - '*'
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workfloweventbindings
+      - workflows/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - applications
+      - appprojects
+      - workflowtaskresults
+      - workflowtasksets
+      - workflowtasksets/finalizers
+    verbs:
+      - '*'
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+      - rolebindings
+    verbs:
+      - list
+      - get
+      - watch
+      - create
+      - patch
+      - bind
+      - delete
+      - update
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - '*'
+  - apiGroups:
+      - serving.kubeflow.org
+    resources:
+      - inferenceservices
+    verbs:
+      - '*'
+  - apiGroups:
+      - serving.knative.dev
+    resources:
+      - services
+      - revisions
+    verbs:
+      - '*'
+  - apiGroups:
+      - autoscaling.internal.knative.dev
+    resources:
+      - podautoscalers
+    verbs:
+      - '*'
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - virtualservices
+    verbs:
+      - list
+      - get
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - '*'
+  - apiGroups:
+      - batch
+      - extensions
+    resources:
+      - jobs
+      - jobs/status
+      - cronjobs
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - resourcequotas
+      - limitranges
+    verbs:
+      - list
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+      - list
+      - watch
+      - patch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+    verbs:
+      - '*'
+  - apiGroups:
+      - cdi.kubevirt.io
+    resources:
+      - datavolumes
+      - datavolumes/source
+    verbs:
+      - '*'
+  - apiGroups:
+      - keda.sh
+    resources:
+      - scaledobjects
+      - scaledjobs
+      - triggerauthentications
+    verbs:
+      - '*'
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificates
+      - issuers
+      - certificaterequests
+    verbs:
+      - '*'
+  - apiGroups:
+      - metrics.k8s.io
+    resources:
+      - pods
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - '*'
+  - apiGroups:
+      - sps.tensorworks.com.au
+    resources:
+      - spsapps
+      - spsapps/status
+      - scalablepixelstreamingversions
+      - scalablepixelstreamingversions/status
+      - scalablepixelstreamingapplications/status
+      - scalablepixelstreamingapplications
+    verbs:
+      - '*'
+  - apiGroups:
+      - kubeflow.org
+    resources:
+      - mpijobs
+      - tfjobs
+      - mxjobs
+      - pytorchjobs
+      - xgboostjobs
+      - mpijobs/status
+      - tfjobs/status
+      - pytorchjobs/status
+      - mxjobs/status
+      - xgboostjobs/status
+    verbs:
+      - '*'
--- a/charts/argo-cd/templates/argocd-application-controller/coreweave-rolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/coreweave-rolebinding.yaml
@ -6,8 +6,8 @@ metadata:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cloud-app-user-full-access
+  kind: Role
+  name: argocd-full-access
 subjects:
 - kind: ServiceAccount
  name: {{ template "argo-cd.controllerServiceAccountName" . }}