From 7e16a3c5a063a7bb2e7d6446cc6ff01b03bafc3b Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Mon, 6 Apr 2026 17:58:28 +0200 Subject: [PATCH] fix: Sec correct rbac resources --- k8s-peterg/argo-workflows/values.yaml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml index 5966d3b..b7eff2c 100644 --- a/k8s-peterg/argo-workflows/values.yaml +++ b/k8s-peterg/argo-workflows/values.yaml @@ -275,28 +275,15 @@ extraObjects: kind: ServiceAccount metadata: name: admin-user + namespace: argocd-workflows annotations: - # The rule is an expression used to determine if this service account - # should be used. - # * `groups` - an array of the OIDC groups - # * `iss` - the issuer ("argo-server") - # * `sub` - the subject (typically the username) - # Must evaluate to a boolean. - # If you want an account to be the default to use, this rule can be "true". - # Details of the expression language are available in - # https://expr-lang.org/docs/language-definition. - workflows.argoproj.io/rbac-rule: "'admin' in groups" - # The precedence is used to determine which service account to use when - # Precedence is an integer. It may be negative. If omitted, it defaults to "0". - # Numerically higher values have higher precedence (not lower, which maybe - # counter-intuitive to you). - # If two rules match and have the same precedence, then which one used will - # be arbitrary. + workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups" workflows.argoproj.io/rbac-rule-precedence: "1" - apiVersion: v1 kind: ServiceAccount metadata: name: read-only + namespace: argocd-workflows annotations: workflows.argoproj.io/rbac-rule: "true" workflows.argoproj.io/rbac-rule-precedence: "0"