All Products
Search

This Product

    Container Service for Kubernetes:Submit a workflow to a specific namespace

    Document Center

    Container Service for Kubernetes:Submit a workflow to a specific namespace

    Last Updated:Dec 18, 2024

    By default, workflows within clusters are submitted to the argo namespace. To submit a workflow to a specific namespace for resource and permission isolation among different tasks, you must grant the necessary permissions to the default or related service account.

    Procedure

    To authorize the service account for a namespace, you can modify the related authorization file.

    1. Create a sample namespace named test.

      kubectl create ns test

    2. Edit the role-rolebinding.yaml authorization file.

      Note

      This example grants permissions to the default service account. If your workflow uses a different service account, grant the required permissions to that account.

      apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.

      If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
  name: agent
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets
    verbs:
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets/status
    verbs:
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is the minimum recommended permissions needed if you want to use artifact GC.
  name: artifactgc
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowartifactgctasks
    verbs:
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowartifactgctasks/status
    verbs:
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      Recommended minimum permissions for the `emissary` executor.
  name: executor
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtaskresults
    verbs:
      - create
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: submit-workflow-template
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workfloweventbindings
    verbs:
      - list
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtemplates
    verbs:
      - get
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
      other workflows. The same pattern would be suitable for other resurces, e.g. a service
  name: workflow-manager
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: agent-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: agent
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: artifactgc-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: artifactgc
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: executor-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: executor
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: workflow-manager-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: workflow-manager
subjects:
  - kind: ServiceAccount
    name: default

    3. Deploy the YAML configuration file to apply the authorization.

      kubectl apply -f role-rolebinding.yaml -n test

      Expected output:

      role.rbac.authorization.k8s.io/agent created
role.rbac.authorization.k8s.io/artifactgc created
role.rbac.authorization.k8s.io/executor created
role.rbac.authorization.k8s.io/submit-workflow-template created
role.rbac.authorization.k8s.io/workflow-manager created
rolebinding.rbac.authorization.k8s.io/agent-default created
rolebinding.rbac.authorization.k8s.io/artifactgc-default created
rolebinding.rbac.authorization.k8s.io/executor-default created
rolebinding.rbac.authorization.k8s.io/workflow-manager-default created

    4. Use the following YAML template to create a file named helloworld-workflow.yaml, which creates a sample application:

      apiVersion: argoproj.io/v1alpha1
kind: Workflow                # Defines a new Kubernetes resource type for Argo Workflows.
new type of k8s spec.
metadata:
  generateName: hello-world-  # The prefix for the workflow name. Kubernetes will append a unique suffix.
spec:
  entrypoint: main            # Specifies the template to execute first.
  templates:
    - name: main              # The name of the template.
      container:
        image: mirrors-ssl.aliyuncs.com/busybox:latest
        command: [ echo ]
        args: [ "hello world" ]

    5. Run the following command to submit the workflow to the test namespace:

      argo submit helloworld-workflow.yaml -n test