docs: Provide example RBAC for API server in apps-in-any-namespace (cherry-pick #12341)

examples/k8s-rbac/argocd-server-applications/README.md

@@ -0,0 +1,11 @@
+This folder contains example RBAC for Kubernetes to allow the Argo CD API
+Server (`argocd-server`) to perform CRUD operations on `Application` CRs
+in all namespaces on the cluster.
+
+Applying the `ClusterRole` and `ClusterRoleBinding` grant the Argo CD API
+server read and write permissions cluster-wide, which may not be what you
+want. Handle with care.
+
+Only apply these if you have installed Argo CD into the default namespace
+`argocd`. Otherwise, you need to edit the cluster role binding to bind to
+the service account in the correct namespace.

examples/k8s-rbac/argocd-server-applications/argocd-server-rbac-clusterrole.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-server-cluster-apps
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: server
+  name: argocd-server-cluster-apps
+rules:
+- apiGroups:
+  - "argoproj.io"
+  resources:
+  - "applications"
+  verbs:
+  - create
+  - delete
+  - update
+  - patch

examples/k8s-rbac/argocd-server-applications/argocd-server-rbac-clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-server-cluster-apps
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: server
+  name: argocd-server-cluster-apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server-cluster-apps
+subjects:
+- kind: ServiceAccount
+  name: argocd-server
+  namespace: argocd