Aggregate workflow RBAC roles to built-in admin/edit/view clusterroles (

resolves argoproj#960)

examples/k8s-wait-wf.yaml

@@ -1,10 +1,4 @@
 # This example demonstrates how to use a resource template to wait on another workflow.
-#
-# NOTE: The ability to create custom resources (e.g. workflows) is not included in the built-in
-# admin role. For this example to work, it will require more privileges than normal.
-# For testing purposes, you can escalate the default service account in the default namespace to
-# cluster-admin using the command:
-# kubectl create rolebinding default-admin --clusterrole=cluster-admin --serviceaccount=default:default
 apiVersion: argoproj.io/v1alpha1
 kind: Workflow
 metadata:

manifests/README.md

@@ -0,0 +1,7 @@
+# Argo Install Manifests
+
+Two 
+| File | Description |
+|------|-------------|
+| install.yaml | Standard argo cluster-wide installation. Controller operates on all namespaces |
+| namespace-install.yaml | Installation of argo which operates on a single namespace. Controller does not require to be run with clusterrole |

manifests/base/01b_workflow-aggregate-roles.yaml

@@ -0,0 +1,62 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-aggregate-to-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-aggregate-to-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-aggregate-to-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch

manifests/base/02e_workflow-controller-deployment.yaml

@@ -14,11 +14,11 @@ spec:
       serviceAccountName: argo
       containers:
       - name: workflow-controller
-        image: argoproj/workflow-controller:v2.1.1
+        image: argoproj/workflow-controller:latest
         command:
         - workflow-controller
         args:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:v2.1.1
+        - argoproj/argoexec:latest

manifests/base/03d_argo-ui-deployment.yaml

@@ -14,7 +14,7 @@ spec:
       serviceAccountName: argo-ui
       containers:
       - name: argo-ui
-        image: argoproj/argoui:v2.1.1
+        image: argoproj/argoui:latest
         env:
         - name: ARGO_NAMESPACE
           valueFrom:

manifests/cluster-install/kustomization.yaml

@@ -1,14 +1,15 @@
 namespace: argo
 
 resources:
-- ../base/01_workflow-crd.yaml
+- ../base/01a_workflow-crd.yaml
+- ../base/01b_workflow-aggregate-roles.yaml
 - ../base/02a_workflow-controller-sa.yaml
-- ../base/02b_workflow-controller-cluster-role.yaml
-- ../base/02c_workflow-controller-cluster-rolebinding.yaml
+- ../base/02b_workflow-controller-clusterrole.yaml
+- ../base/02c_workflow-controller-clusterrolebinding.yaml
 - ../base/02d_workflow-controller-configmap.yaml
 - ../base/02e_workflow-controller-deployment.yaml
 - ../base/03a_argo-ui-sa.yaml
-- ../base/03b_argo-ui-cluster-role.yaml
-- ../base/03c_argo-ui-cluster-rolebinding.yaml
+- ../base/03b_argo-ui-clusterrole.yaml
+- ../base/03c_argo-ui-clusterrolebinding.yaml
 - ../base/03d_argo-ui-deployment.yaml
 - ../base/03e_argo-ui-service.yaml

manifests/install.yaml

@@ -27,6 +27,67 @@ metadata:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: argo-aggregate-to-admin
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: argo-aggregate-to-edit
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: argo-aggregate-to-view
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: argo-cluster-role
 rules:
@@ -171,7 +232,7 @@ spec:
           value: "false"
         - name: BASE_HREF
           value: /
-        image: argoproj/argoui:v2.1.1
+        image: argoproj/argoui:latest
         name: argo-ui
       serviceAccountName: argo-ui
 ---
@@ -194,9 +255,9 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:v2.1.1
+        - argoproj/argoexec:latest
         command:
         - workflow-controller
-        image: argoproj/workflow-controller:v2.1.1
+        image: argoproj/workflow-controller:latest
         name: workflow-controller
       serviceAccountName: argo

manifests/namespace-install.yaml

@@ -125,7 +125,6 @@ subjects:
 apiVersion: v1
 data:
   config: |
-    artifactRepository: {}
     namespace: argo
 kind: ConfigMap
 metadata:
@@ -168,7 +167,7 @@ spec:
           value: "false"
         - name: BASE_HREF
           value: /
-        image: argoproj/argoui:v2.1.1
+        image: argoproj/argoui:latest
         name: argo-ui
       serviceAccountName: argo-ui
 ---
@@ -190,9 +189,9 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:v2.1.1
+        - argoproj/argoexec:latest
         command:
         - workflow-controller
-        image: argoproj/workflow-controller:v2.1.1
+        image: argoproj/workflow-controller:latest
         name: workflow-controller
       serviceAccountName: argo

manifests/namespace-install/kustomization.yaml

@@ -1,5 +1,5 @@
 resources:
-- ../base/01_workflow-crd.yaml
+- ../base/01a_workflow-crd.yaml
 - ../base/02a_workflow-controller-sa.yaml
 - ./02b_workflow-controller-role.yaml
 - ./02c_workflow-controller-rolebinding.yaml

workflow/controller/workflowpod.go

@@ -132,9 +132,8 @@ func (woc *wfOperationCtx) createWorkflowPod(nodeName string, mainCtr apiv1.Cont
 				volumeDockerSock,
 			},
 			ActiveDeadlineSeconds: tmpl.ActiveDeadlineSeconds,
-			// TODO: consider allowing service account and image pull secrets to reference global vars
-			ServiceAccountName: woc.wf.Spec.ServiceAccountName,
-			ImagePullSecrets:   woc.wf.Spec.ImagePullSecrets,
+			ServiceAccountName:    woc.wf.Spec.ServiceAccountName,
+			ImagePullSecrets:      woc.wf.Spec.ImagePullSecrets,
 		},
 	}
 	if woc.controller.Config.InstanceID != "" {