fix: added service account creation step in quick start docs (#1324)

* added service account creation step in quick start docs Signed-off-by: Daniel Soifer <daniel.soifer@codefresh.io> * moved service account yaml to rbac dir Signed-off-by: Daniel Soifer <daniel.soifer@codefresh.io> * added bare minimum workflow rbac to example docs Signed-off-by: Daniel Soifer <daniel.soifer@codefresh.io>
argoproj · Sep 1, 2021 · 27bad79 · 27bad79
1 parent 29c1450
commit 27bad79
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 0 deletions.
diff --git a/docs/quick_start.md b/docs/quick_start.md
@@ -16,6 +16,13 @@ Note: You will need to have [Argo Workflows](https://argoproj.github.io/argo-wor
 
    After running the above command, the event-source controller will create a pod and service.
 
+1. Create a service account with RBAC settings to allow the sensor to trigger workflows, and allow workflows to function.
+
+         # sensor rbac
+        kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/master/examples/rbac/sensor-rbac.yaml
+         # workflow rbac
+        kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/master/examples/rbac/workflow-rbac.yaml
+
 1. Create webhook sensor.
 
         kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/sensors/webhook.yaml

diff --git a/examples/rbac/sensor-rbac.yaml b/examples/rbac/sensor-rbac.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operate-workflow-sa
+---
+# Similarly you can use a ClusterRole and ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operate-workflow-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - "*"
+    resources:
+      - workflows
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operate-workflow-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operate-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: operate-workflow-sa
diff --git a/examples/rbac/workflow-rbac.yaml b/examples/rbac/workflow-rbac.yaml
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: workflow-role
+rules:
+  # pod get/watch is used to identify the container IDs of the current pod
+  # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - patch
+  # logs get/watch are used to get the pods logs for script outputs, and for log archival
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: workflow-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: default