Argo Workflows：Argo 安装中似乎缺少 `workflow-role`

Question

I am new to Argo Workflows and following along with this tutorial .

Following along with it, we are to create a service account and then attach the pre-existing workflow-role to the service account, like this:

> kubectl create serviceaccount mike
serviceaccount/mike created # Response from my terminal

> kubectl create rolebinding mike --serviceaccount=argo:mike --role=workflow-role
rolebinding.rbac.authorization.k8s.io/mike created # Response from my terminal

But then when I tried to submit a job using that service account, it said that there is no such role workflow-role :

Message:  Error (exit code 1): pods "mike-cli-hello-svlmn" is forbidden: User
"system:serviceaccount:argo:mike" cannot patch resource "pods" in API group "" in the namespace
"argo": RBAC: role.rbac.authorization.k8s.io "workflow-role" not found

(I also do not understand why my default API group is null, but I'm assuming that is unrelated.)

I then checked, and indeed there is no such role:

❯ kubectl get role
NAME                       CREATED AT
agent                      2022-02-28T21:38:31Z
argo-role                  2022-02-28T21:38:31Z
argo-server-role           2022-02-28T21:38:32Z
executor                   2022-02-28T21:38:32Z
pod-manager                2022-02-28T21:38:32Z
submit-workflow-template   2022-02-28T21:38:32Z
workflow-manager           2022-02-28T21:38:32Z

Could it be that the role is workflow-manager ? That sounds more like an automated service to manage the pipeline / DAG or something similar.

I am obviously quite new to Argo. I have successfully launched jobs, but not when trying to use that newly created service account.

Should Argo have a default role of workflow-role ? How do I create it?

Answer 1

Actually, I think I got it, but if someone sees this, a confirmation would be nice.

I created a role file as follows:

role.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: workflow
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - patch
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - watch

I then created the role via the standard

kubectl apply -f role.yaml

Then created the role-binding same as above:

kubectl create rolebinding mike --serviceaccount=argo:mike --role=workflow

Then I could submit jobs with the new service account without a problem:

argo submit --serviceaccount mike --watch argo_tutorial.yaml