wheatley/kubernetes
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix: Sec correct rbac resources

Browse source
This commit is contained in:
Peter 2026-04-06 17:58:28 +02:00
parent 4bfb8be326
commit b65ec8e109
Signed by: Peter
SSH key fingerprint: SHA256:B5tYaxBExaDm74r1px9iVeZ6F/ZDiyiy9SbBqfZYrvg
1 changed files with 5 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

23
k8s-peterg/argo-workflows/values.yaml
View file

@ -275,28 +275,15 @@ extraObjects:
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: admin-user name: admin-user
namespace: argo-workflows
annotations: annotations:
# The rule is an expression used to determine if this service account workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
# should be used.
# * `groups` - an array of the OIDC groups
# * `iss` - the issuer ("argo-server")
# * `sub` - the subject (typically the username)
# Must evaluate to a boolean.
# If you want an account to be the default to use, this rule can be "true".
# Details of the expression language are available in
# https://expr-lang.org/docs/language-definition.
workflows.argoproj.io/rbac-rule: "'admin' in groups"
# The precedence is used to determine which service account to use when
# Precedence is an integer. It may be negative. If omitted, it defaults to "0".
# Numerically higher values have higher precedence (not lower, which maybe
# counter-intuitive to you).
# If two rules match and have the same precedence, then which one used will
# be arbitrary.
workflows.argoproj.io/rbac-rule-precedence: "1" workflows.argoproj.io/rbac-rule-precedence: "1"
- apiVersion: v1 - apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: read-only name: read-only
namespace: argo-workflows
annotations: annotations:
workflows.argoproj.io/rbac-rule: "true" workflows.argoproj.io/rbac-rule: "true"
workflows.argoproj.io/rbac-rule-precedence: "0" workflows.argoproj.io/rbac-rule-precedence: "0"
@ -307,7 +294,7 @@ extraObjects:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: admin-user name: admin-user
namespace: argocd-workflows namespace: argo-workflows
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: argo-workflows-admin name: argo-workflows-admin
@ -319,7 +306,7 @@ extraObjects:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: read-only name: read-only
namespace: argocd-workflows namespace: argo-workflows
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: argo-workflows-view name: argo-workflows-view