By default, workflows are submitted to the argo namespace. To submit workflows to a different namespace — for resource isolation and access control between teams or projects — grant the required Role-Based Access Control (RBAC) permissions to the namespace's ServiceAccount first.
Prerequisites
Before you begin, ensure that you have:
A running Argo Workflows installation on your cluster
kubectlaccess with permissions to create namespaces and RBAC resourcesThe
argoCLI installed
Grant permissions and submit a workflow
Step 1: Create the target namespace
kubectl create ns testStep 2: Create the RBAC authorization file
Create a file named role-rolebinding.yaml with the following content.
This example grants permissions to thedefaultServiceAccount. If your workflow specifies a different ServiceAccount, grant permissions to that ServiceAccount instead. RoleBindings are namespace-scoped, so the permissions apply only within the namespace where they are created — which is why you apply this file to thetestnamespace in step 3.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
name: agent
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtasksets
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtasksets/status
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use artifact GC.
name: artifactgc
rules:
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks/status
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
Recommended minimum permissions for the `emissary` executor.
name: executor
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: submit-workflow-template
rules:
- apiGroups:
- argoproj.io
resources:
- workfloweventbindings
verbs:
- list
- apiGroups:
- argoproj.io
resources:
- workflowtemplates
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is an example of the permissions you would need if you wanted to use a resource template to create and manage
other workflows. The same pattern would be suitable for other resurces, e.g. a service
name: workflow-manager
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: agent-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: agent
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: artifactgc-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: artifactgc
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: executor-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: executor
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workflow-manager-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: workflow-manager
subjects:
- kind: ServiceAccount
name: defaultThe file defines five Roles and four RoleBindings. Start with the executor role — it is the minimum required for any workflow to run. Add the remaining roles only for the features you use:
| Role | Required for | Resources |
|---|---|---|
executor | Minimum for the emissary executor | workflowtaskresults (create, patch) |
agent | HTTP templates and plugin templates | workflowtasksets (list, watch); workflowtasksets/status (patch) |
artifactgc | Artifact garbage collection | workflowartifactgctasks (list, watch); workflowartifactgctasks/status (patch) |
submit-workflow-template | Submitting workflows from WorkflowTemplates | workfloweventbindings (list); workflowtemplates (get); workflows (create) |
workflow-manager | Creating and managing workflows from resource templates | workflows (create, get) |
Step 3: Apply the authorization file
Apply the file to the test namespace to create the Roles and RoleBindings there:
kubectl apply -f role-rolebinding.yaml -n testThe expected output is:
role.rbac.authorization.k8s.io/agent created
role.rbac.authorization.k8s.io/artifactgc created
role.rbac.authorization.k8s.io/executor created
role.rbac.authorization.k8s.io/submit-workflow-template created
role.rbac.authorization.k8s.io/workflow-manager created
rolebinding.rbac.authorization.k8s.io/agent-default created
rolebinding.rbac.authorization.k8s.io/artifactgc-default created
rolebinding.rbac.authorization.k8s.io/executor-default created
rolebinding.rbac.authorization.k8s.io/workflow-manager-default createdStep 4: Create a workflow definition
Create a file named helloworld-workflow.yaml:
apiVersion: argoproj.io/v1alpha1
kind: Workflow # new type of k8s spec.
metadata:
generateName: hello-world- # name of the workflow spec.
spec:
entrypoint: main # invoke the main template.
templates:
- name: main # name of the template.
container:
image: mirrors-ssl.aliyuncs.com/busybox:latest
command: [ echo ]
args: [ "hello world" ]Step 5: Submit the workflow to the target namespace
argo submit helloworld-workflow.yaml -n testThe workflow runs in the test namespace using the permissions granted in step 3.