Search code examples
kuberneteskubernetes-helmargo-workflowsargoproj

Argo Workflow always using default serviceaccount


I installed the default helm chart of Argo Workflow with only configuring init.serviceAccount as argo-sa, which I have created. (ServiceAccount with enough authorization) However, running every Workflow runs as serviceaccount Default, which I can’t figure out where the setting is configured. According to the README provided by Argo Helm Chart, specifying init.serviceAccount as the serviceaccount which I have created should solved the problem. The workaround is to modify the Default serviceaccount, but it seems that it's not a great solution. Is there anything that I understood incorrectly ? Thanks in advance.


Solution

  • The Argo installation does not control which ServiceAccount Workflows use. According to the Argo docs,

    When no ServiceAccount is provided [when the Workflow is submitted], Argo will use the default ServiceAccount from the namespace from which it is run, which will almost always have insufficient privileges by default.

    If you are using the Argo CLI to submit Workflows, you can specify the ServiceAccount with --serviceaccount.

    If you are using kubectl apply or some other tool to install Workflows, you can set the ServiceAccount name in the yaml definition. See an example from the documentation, or this abbreviated example:

    apiVersion: argoproj.io/v1alpha1
    kind: Workflow
    spec:
      serviceAccountName: some-serviceaccount
    

    As a convenience, the Argo Helm chart provides a way to create a ServiceAccount with which to run your Workflows. But it does not actually cause your Workflows to use that ServiceAccount. You have to specify it when you submit the Workflow.

      serviceAccount:
        create: false  # Specifies whether a service account should be created
        annotations: {}
        name: "argo-workflow"  # Service account which is used to run workflows
      rbac:
        create: false  # adds Role and RoleBinding for the above specified service account to be able to run workflows