Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide more information about namespaced workflow install. #2687

Closed
lucastheisen opened this issue Apr 14, 2020 · 1 comment · Fixed by #3369
Closed

Provide more information about namespaced workflow install. #2687

lucastheisen opened this issue Apr 14, 2020 · 1 comment · Fixed by #3369
Labels
type/feature Feature request

Comments

@lucastheisen
Copy link
Contributor

Summary

Right now, the [namespaced installation|https://github.com/argoproj/argo/blob/stable/manifests/namespace-install.yaml] instructions don't provide enough information to get workflows running.

Specifically, I think it should be broken into 2 parts:

  1. One time cluster admin installation: Installs the CustomResourceDefinitions's and ClusterRoles (which are currently just Role)
  2. Per namespaces installation: Installs the rest.

Motivation

It was unclear that we needed cluster admin at all (though the CRD's should have made that obvious). And after that, using the current config led to a case where each additional namespace that wanted to run workflows needed the cluster admin to add the RoleBindings.

Proposal

How do you think this should be implemented?

It should be broken into one time cluster admin:

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata: 
  name: clusterworkflowtemplates.argoproj.io
  labels: 
    cluster_feature: argo-worflow
spec: 
  group: argoproj.io
  names: 
    kind: ClusterWorkflowTemplate
    plural: clusterworkflowtemplates
    shortNames: 
    - clusterwftmpl
    - cwft
  scope: Cluster
  version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata: 
  name: cronworkflows.argoproj.io
  labels: 
    cluster_feature: argo-worflow
spec: 
  group: argoproj.io
  names: 
    kind: CronWorkflow
    plural: cronworkflows
    shortNames: 
    - cronwf
    - cwf
  scope: Namespaced
  version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata: 
  name: workflows.argoproj.io
  labels: 
    cluster_feature: argo-worflow
spec: 
  additionalPrinterColumns: 
  - JSONPath: .status.phase
    description: Status of the workflow
    name: Status
    type: string
  - JSONPath: .status.startedAt
    description: When the workflow was started
    format: date-time
    name: Age
    type: date
  group: argoproj.io
  names: 
    kind: Workflow
    plural: workflows
    shortNames: 
    - wf
  scope: Namespaced
  version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata: 
  name: workflowtemplates.argoproj.io
  labels: 
    cluster_feature: argo-worflow
spec: 
  group: argoproj.io
  names: 
    kind: WorkflowTemplate
    plural: workflowtemplates
    shortNames: 
    - wftmpl
  scope: Namespaced
  version: v1alpha1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  name: argo-role
  labels: 
    cluster_feature: argo-worflow
    # Add these permissions to the "admin" default role.
    #   https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: 
- apiGroups: 
  - ""
  resources: 
  - pods
  - pods/exec
  verbs: 
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups: 
  - ""
  resources: 
  - configmaps
  verbs: 
  - get
  - watch
  - list
- apiGroups: 
  - ""
  resources: 
  - persistentvolumeclaims
  verbs: 
  - create
  - delete
- apiGroups: 
  - argoproj.io
  resources: 
  - workflows
  - workflows/finalizers
  verbs: 
  - get
  - list
  - watch
  - update
  - patch
  - delete
  - create
- apiGroups: 
  - argoproj.io
  resources: 
  - workflowtemplates
  - workflowtemplates/finalizers
  verbs: 
  - get
  - list
  - watch
- apiGroups: 
  - ""
  resources: 
  - serviceaccounts
  verbs: 
  - get
  - list
- apiGroups: 
  - ""
  resources: 
  - secrets
  verbs: 
  - get
- apiGroups: 
  - argoproj.io
  resources: 
  - cronworkflows
  - cronworkflows/finalizers
  verbs: 
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups: 
  - ""
  resources: 
  - events
  verbs: 
  - create
- apiGroups: 
  - policy
  resources: 
  - poddisruptionbudgets
  verbs: 
  - create
  - get
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  name: argo-server-role
  labels: 
    cluster_feature: argo-worflow
    # Add these permissions to the "admin" default role.
    #   https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: 
- apiGroups: 
  - ""
  resources: 
  - configmaps
  verbs: 
  - get
  - watch
  - list
- apiGroups: 
  - ""
  resources: 
  - secrets
  verbs: 
  - get
- apiGroups: 
  - ""
  resources: 
  - pods
  - pods/exec
  - pods/log
  verbs: 
  - get
  - list
  - watch
  - delete
- apiGroups: 
  - ""
  resources: 
  - secrets
  verbs: 
  - get
- apiGroups: 
  - argoproj.io
  resources: 
  - workflows
  - workflowtemplates
  - cronworkflows
  verbs: 
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete

And per namespace install that can be run by namespace admin:

---
apiVersion: v1
kind: ServiceAccount
metadata: 
  name: argo
---
apiVersion: v1
kind: ServiceAccount
metadata: 
  name: argo-server
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: 
  name: argo-binding
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-role
subjects: 
- kind: ServiceAccount
  name: argo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: 
  name: argo-server-binding
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-server-role
subjects: 
- kind: ServiceAccount
  name: argo-server
---
apiVersion: v1
kind: ConfigMap
metadata: 
  name: workflow-controller-configmap
---
apiVersion: v1
kind: Service
metadata: 
  name: argo-server
spec: 
  ports: 
  - port: 2746
    targetPort: 2746
  selector: 
    app: argo-server
---
apiVersion: v1
kind: Service
metadata: 
  name: workflow-controller-metrics
spec: 
  ports: 
  - port: 9090
    protocol: TCP
    targetPort: 9090
  selector: 
    app: workflow-controller
---
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: argo-server
spec: 
  selector: 
    matchLabels: 
      app: argo-server
  template: 
    metadata: 
      labels: 
        app: argo-server
    spec: 
      containers: 
      - args: 
        - server
        - --namespaced
        image: argoproj/argocli:latest
        name: argo-server
        ports: 
        - containerPort: 2746
        readinessProbe: 
          httpGet: 
            path: /
            port: 2746
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 20
      serviceAccountName: argo-server
---
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: workflow-controller
spec: 
  selector: 
    matchLabels: 
      app: workflow-controller
  template: 
    metadata: 
      labels: 
        app: workflow-controller
    spec: 
      containers: 
      - args: 
        - --configmap
        - workflow-controller-configmap
        - --executor-image
        - argoproj/argoexec:latest
        - --namespaced
        command: 
        - workflow-controller
        image: argoproj/workflow-controller:latest
        name: workflow-controller
      serviceAccountName: argo

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
@lucastheisen lucastheisen added the type/feature Feature request label Apr 14, 2020
@alexec alexec added the docs label Apr 16, 2020
@alexec
Copy link
Contributor

alexec commented Jun 9, 2020

It would be great if someone wants to submit a PR with the docs.

This was referenced Jun 27, 2020
Closed
Merged
@lucastheisen lucastheisen mentioned this issue May 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/feature Feature request
Projects
None yet
Milestone
No milestone
2 participants
@alexec @lucastheisen