-
Hi all, I've been trying to get any kind of API access using a service account token on my local k3d cluster. I installed v3.5.8 of argo workflows and My goal was to access the following API endpoint: I've set up the service account using the following script: kubectl create namespace dev
kubectl create sa -n dev tb
kubectl apply -n dev -f argo-role.yaml
kubectl create rolebinding argo --serviceaccount dev:tb --role argo
kubectl apply -n dev -f token.yaml
kubectl get secret -n dev tb.service-account-token -o=jsonpath='{.data.token}' | base64 --decode argo-role.yaml apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argo
rules:
# k8s standard APIs
- apiGroups:
- ""
resources:
- events
- pods
- pods/log
verbs:
- get
- list
- watch
# Argo APIs. See also https://github.com/argoproj/argo-workflows/blob/main/manifests/cluster-install/workflow-controller-rbac/workflow-aggregate-roles.yaml#L4
- apiGroups:
- argoproj.io
resources:
- eventsources
- sensors
- workflows
- workfloweventbindings
- workflowtemplates
- clusterworkflowtemplates
- cronworkflows
- cronworkflows
- workflowtaskresults
verbs:
- get
- list
- watch role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: transformation-builder
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo
subjects:
- kind: ServiceAccount
name: tb
namespace: dev token.yaml apiVersion: v1
kind: Secret
metadata:
name: tb.service-account-token
annotations:
kubernetes.io/service-account.name: tb
type: kubernetes.io/service-account-token Then when I try to access the aforementioned endpoint using the token obtained by the script I get the following response:
This response was not helpful at all, however after downgrading argo workflows to v3.5.4 and sending the same request I got the following response
This lead me to change the role the following (Only changing metadata.name to apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev:argo
rules:
# k8s standard APIs
- apiGroups:
- ""
resources:
- events
- pods
- pods/log
verbs:
- get
- list
- watch
# Argo APIs. See also https://github.com/argoproj/argo-workflows/blob/main/manifests/cluster-install/workflow-controller-rbac/workflow-aggregate-roles.yaml#L4
- apiGroups:
- argoproj.io
resources:
- eventsources
- sensors
- workflows
- workfloweventbindings
- workflowtemplates
- clusterworkflowtemplates
- cronworkflows
- cronworkflows
- workflowtaskresults
verbs:
- get
- list
- watch kubectl create namespace dev
kubectl create sa -n dev tb
kubectl apply -n dev -f argo-role.yaml
kubectl create rolebinding argo --serviceaccount dev:tb --role dev:argo
kubectl apply -n dev -f token.yaml
kubectl get secret -n dev tb.service-account-token -o=jsonpath='{.data.token}' | base64 --decode I wanted to report this because this has been an extremely painful experience that cost me a lot of time. I still do not understand why I had to prepend my role's name with I think the examples in the docs should be improved. Given that I am a new user of this project I do not know whether the error message I got on v3.5.8 is intended, but the error message I got in v3.5.4 was much clearer and actually led to me solving my issue. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
Your shell command and the created That's not an Argo error, and these aren't really Argo specific, it's mainly plain k8s. The Argo API is largely just an intermediary to k8s and uses the same permissions your existing k8s SAs have. See also the
The Quick Start does not reference the API and does not have manual Role or RoleBinding creation, as it uses the quick start manifests. So I'm not sure exactly why you were referring to it, and that seems mistaken. Entirely separate to the Quick Start, there is an "Access Token" page that does instruct on this. I'm not sure if that's what you were referring to, but the equivalent shell command to create a kubectl create rolebinding jenkins --role=jenkins --serviceaccount=argo:jenkins Note that it has The commands there also do not include a namespace -- given that you have
You did not say what kind of script or command you used to access the API. Your commands go as far as getting the SA token but not farther. |
Beta Was this translation helpful? Give feedback.
Your shell command and the created
RoleBinding
, as quoted above, has--role dev:argo
.That's not an Argo error, and these aren't really Argo specific, it's mainly plain k8s. The Argo API is largely just an intermediary to k8s and uses the same permissions your existing k8s SAs have.
See also the
--help
message for thekubectl
command: