docs: clarify + improve Workflow Restrictions page (#11807)

Signed-off-by: Anton Gilgur <[email protected]> (cherry picked from commit b38c6fd)
argoproj · May 4, 2024 · afdcc54 · afdcc54
1 parent 739d1a6
commit afdcc54
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/.spelling b/.spelling
@@ -244,6 +244,8 @@ webHDFS
 webhook
 webhooks
 workflow-controller-configmap
+WorkflowTemplate
+WorkflowTemplates
 yaml
 idempotence
 kube-scheduler

diff --git a/docs/workflow-restrictions.md b/docs/workflow-restrictions.md
@@ -4,18 +4,19 @@
 
 ## Introduction
 
-As the administrator of the controller, you may want to limit which types of Workflows your users can run. Setting workflow restrictions allows you to ensure that Workflows comply with certain requirements.
+As the administrator of the controller, you may want to limit which types of Workflows your users can run.
+Workflow Restrictions allow you to set requirements for all Workflows.
 
 ## Available Restrictions
 
-* `templateReferencing: Strict`: Only Workflows using `workflowTemplateRef` will be processed. This allows the administrator of the controller to set a "library" of templates that may be run by its operator, limiting arbitrary Workflow execution.
-* `templateReferencing: Secure`: Only Workflows using `workflowTemplateRef` will be processed and the controller will enforce that the workflow template that is referenced hasn't changed between operations. If you want to make sure the operator of the Workflow cannot run an arbitrary Workflow, use this option.
+* `templateReferencing: Strict`: Only process Workflows using `workflowTemplateRef`. You can use this to require usage of WorkflowTemplates, disallowing arbitrary Workflow execution.
+* `templateReferencing: Secure`: Same as `Strict` _plus_ enforce that a referenced WorkflowTemplate hasn't changed between operations. If a running Workflow's underlying WorkflowTemplate changes, the Workflow will error out.
 
 ## Setting Workflow Restrictions
 
-Workflow Restrictions can be specified by adding them under the `workflowRestrictions` key in the [`workflow-controller-configmap`](./workflow-controller-configmap.yaml).
+You can add `workflowRestrictions` in the [`workflow-controller-configmap`](./workflow-controller-configmap.yaml).
 
-For example, to specify that Workflows may only run with `workflowTemplateRef`
+For example, to specify that Workflows may only run with `workflowTemplateRef`:
 
 ```yaml
 # This file describes the config settings available in the workflow controller configmap
@@ -25,5 +26,5 @@ metadata:
   name: workflow-controller-configmap
 data:
   workflowRestrictions: |
-    templateReferencing: Secure
+    templateReferencing: Strict
 ```