To high access level RBAC needed to start workflow with TemplateRef

[holotrack]

Summary

Right now when we have workflowtemplate with reference to another workflowTemplate/clusterWorkflowTemplate we need to give access to user to all of them. In our case we want developers only can execute main workflowTemplate without giving access to lower level template which are more generic and can do something we dont want be executed by user. Lower level templates should be included with workflow service account not with user service account privileges.

Use Cases

EG When we have such template in workflow:

####CUT####
 templates:
    - name: pipeline
      inputs:
        parameters:
          - name: cluster
          - name: environment
      dag:
        tasks:
          - name: mysql-restart
            templateRef:
              clusterScope: true
              name: db-restart-atomic
              template: restart
            arguments:
              parameters:
              - name: resource
                value: "mysql"
              - name: kind
                value: StatefulSet
              - name: cluster
                value: "{{inputs.parameters.cluster}}"
              - name: environment
                value: "team1"

We want to developers use/create only their high level workflows, which will restart DB only for their team/cluster (team1 environment) not for others, what is available with more generic low level template. Right now to create workflow devs need "Create", "list", "Get" access to all workflowTemplates/clusterWorkflowTemplates used in template including refered ones, not only to higher one. It could be good lower level templates will be included with service account of pod not during start with devs user account. That will make configuration of RBAC more flexible without forcing accesses which user/account dont need.

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

[agilgur5]

Ah I think this a follow-up to this Slack thread, if I understand correctly.

Right now to create workflow devs need "Create", "list", "Get" access to all workflowTemplates/clusterWorkflowTemplates used in template including refered ones, not only to higher one.

I'm not sure if this entirely solves your problem, but you can use resourceNames on your RBAC to limit which WorkflowTemplates are accessible. I don't think you need create either.

But yes, if I'm understanding correctly, you have to be able to retrieve all used WorkflowTemplates.

It could be good lower level templates will be included with service account of pod not during start with devs user account.

I'm not sure this would even be possible: the Pod needs to start in order to use its SA, but you wouldn't know to start the Pod without knowing the shape of the Workflow.
Run-time things like this also tend to confuse users (and contributors too as the behavior is harder to reason about) as they can't be statically analyzed.

[holotrack]

Thanks for reply. In that case are you planing to implemnent own workflows RBACs? eg like argocd have?

[agilgur5]

There is an open feature request for Casbin RBAC: #6490.

But that wouldn't solve this problem, which is why I didn't mention it. As I wrote above, templateRefs have to be retrieved before the Workflow runs, otherwise there is a chicken-and-egg problem.

[agilgur5]

Closing as stale since this is not quite possible as requested due to a chicken-and-egg problem per above.