Argo ksonnet package #178
Argo ksonnet package #178
Conversation
kubeflow/argo/argo.libsonnet
Outdated
| }, // service account | ||
|
|
||
| // TODO(jlewi): Do we really need cluster admin privileges? Why? | ||
| // is this just because workflow controller is trying to create the CRD? |
There was a problem hiding this comment.
In v2.0.0-beta1, the controller no longer attempts to create the CRD. This is left to installer now.
cluster-admin would be needed if workflow-controller needs to manage workflows across namespaces. If the controller is configured to only operate in a single namespace (this can be configured in the controller's configmap), then I think admin should be sufficient. But I haven't tried this yet.
We identified the minimum privileges required by the controller here:
https://github.com/argoproj/argo/blob/master/cmd/argo/commands/const.go#L20
Note that UI and controller have different set of privileges.
In 2.0.0-beta1, the installer will create a cluster-admin using these privileges. But if you would like to hand roll the deployment/rbac manifests yourself, argo 2.0.0-beta1 now has --dry-run flag to print the manifests without installing, and you can tweak it from there.
There was a problem hiding this comment.
Very helpful thanks. I updated to the beta1 version and locked down the permissions. PTAL.
| schedulerName: "default-scheduler", | ||
| securityContext: {}, | ||
| serviceAccount: "argo", | ||
| serviceAccountName: "argo", |
There was a problem hiding this comment.
Oh I forgot to mention another change is that there are now two service accounts: one for controller, the other for UI with different permissions. (e.g. the UI needs access to logs whereas the controller does not). I notice in this change the UI is using the same service account (argo). I think you will want to create the argo-ui service account mapped to these permissions:
https://github.com/argoproj/argo/blob/master/cmd/argo/commands/const.go#L44
There was a problem hiding this comment.
I think you did mention that. PTAL.
kubeflow/argo/argo.libsonnet
Outdated
| apiGroups: [""], | ||
| resources: [ | ||
| "pods", | ||
| "pods-exec", |
There was a problem hiding this comment.
Should this be pods/exec instead of pods-exec?
kubeflow/argo/argo.libsonnet
Outdated
| apiGroups: [""], | ||
| resources: [ | ||
| "pods", | ||
| "pods-exec", |
There was a problem hiding this comment.
Same here. I've only ever seen this pods/exec
There was a problem hiding this comment.
Yes, the docs say to "use a slash to delimit the resource and subresource"
https://kubernetes.io/docs/admin/authorization/rbac/#referring-to-resources
There was a problem hiding this comment.
Thanks for catching this; it was a bad copy and paste error on my part.
|
BTW, I will be working with ksonnet to generate an "official" argo workflow libsonnet for the workflow spec parts. This should be coming soon after I generate the OpenAPI specs for workflows. |
|
Thanks. |
* add pv to katibDB Signed-off-by: YujiOshima <yuji.oshima0x3fd@gmail.com> * fix test Signed-off-by: YujiOshima <yuji.oshima0x3fd@gmail.com> * add pv to MinikubeDemo/deploy.sh Signed-off-by: YujiOshima <yuji.oshima0x3fd@gmail.com> * update Signed-off-by: YujiOshima <yuji.oshima0x3fd@gmail.com> * fix test Signed-off-by: YujiOshima <yuji.oshima0x3fd@gmail.com>
An argo ksonnet package
Makes it easy to deploy argo
Related to Add Argo package to our ksonnet registry #21