I installed the default helm chart of Argo Workflow with only configuring init.serviceAccount as argo-sa, which I have created. (ServiceAccount with enough authorization)
However, running every Workflow runs as serviceaccount Default, which I can’t figure out where the setting is configured.
According to the README provided by Argo Helm Chart, specifying init.serviceAccount as the serviceaccount which I have created should solved the problem.
The workaround is to modify the Default serviceaccount, but it seems that it's not a great solution.
Is there anything that I understood incorrectly ? Thanks in advance.
Asked
Active
Viewed 6,843 times
6
crenshaw-dev
- 7,504
- 3
- 45
- 81
Piljae Chae
- 987
- 10
- 23
1 Answers
17
The Argo installation does not control which ServiceAccount Workflows use. According to the Argo docs,
When no ServiceAccount is provided [when the Workflow is submitted], Argo will use the default ServiceAccount from the namespace from which it is run, which will almost always have insufficient privileges by default.
If you are using the Argo CLI to submit Workflows, you can specify the ServiceAccount with --serviceaccount.
If you are using kubectl apply or some other tool to install Workflows, you can set the ServiceAccount name in the yaml definition. See an example from the documentation, or this abbreviated example:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
spec:
serviceAccountName: some-serviceaccount
As a convenience, the Argo Helm chart provides a way to create a ServiceAccount with which to run your Workflows. But it does not actually cause your Workflows to use that ServiceAccount. You have to specify it when you submit the Workflow.
serviceAccount:
create: false # Specifies whether a service account should be created
annotations: {}
name: "argo-workflow" # Service account which is used to run workflows
rbac:
create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
crenshaw-dev
- 7,504
- 3
- 45
- 81
-
This was super helpful. Thanks Michael! – Piljae Chae Nov 21 '20 at 14:35
-
@IHateMint you bet! – crenshaw-dev Nov 21 '20 at 14:35
-
I am using a script template in my workflow. When I specify the `serviceAccountName` in the workflow spec and execute the workflow I get, "error looking up service account default/argo: serviceaccount". I know that argo service account exists in argo namespace. Why can't the workflow find it? – SSF Feb 18 '21 at 23:47
-
1@SSF I wonder if default/argo means it’s looking for the argo sa in the default namespace. Maybe try running the workflow in the argo namespace? – crenshaw-dev Feb 18 '21 at 23:49
-
Oh yes, my mistake. Thanks @MichaelCrenshaw – SSF Feb 19 '21 at 00:13
-
One solution is to create a RoleBinding between the default service account in the namespace, and the corresponding argo workflow Role. – e741af0d41bc74bf854041f1fbdbf Mar 15 '23 at 08:15