From 65b369e78fbdccd7d5c286e9e3ddc2da35201122 Mon Sep 17 00:00:00 2001
From: Derek Wang <whynowy@gmail.com>
Date: Mon, 12 Apr 2021 09:48:19 -0700
Subject: [PATCH] chore: Clean up unnecessary privileges for argo-events-sa
 (#1175)

Signed-off-by: Derek Wang <whynowy@gmail.com>
---
 docs/concepts/event_source.md                 |  10 +-
 docs/eventsources/ha.md                       |   4 +-
 docs/eventsources/setup/nats.md               |   1 -
 docs/index.md                                 |  54 ++++----
 docs/sensors/ha.md                            |   6 +-
 .../triggers/build-your-own-trigger.md        |   7 --
 docs/sensors/triggers/http-trigger.md         |   4 -
 docs/sensors/triggers/k8s-object-trigger.md   |   2 +-
 docs/service-accounts.md                      |   2 +-
 docs/tutorials/01-introduction.md             | 108 +++++++++-------
 docs/tutorials/04-standard-k8s-resources.md   | 118 +++++++++++-------
 examples/README.md                            |  83 ++++++++++++
 examples/event-sources/resource.yaml          |   2 +-
 examples/sensors/amqp.yaml                    |   2 +-
 examples/sensors/aws-sns.yaml                 |   2 +-
 examples/sensors/aws-sqs.yaml                 |   3 +-
 examples/sensors/azure-events-hub.yaml        |   2 +-
 examples/sensors/calendar.yaml                |   2 +-
 .../complete-trigger-parameterization.yaml    |   2 +-
 examples/sensors/context-filter-webhook.yaml  |   2 +-
 examples/sensors/custom-trigger.yaml          |   2 -
 .../data-filter-comparator-webhook.yaml       |   2 +-
 .../sensors/data-filter-value-webhook.yaml    |   2 +-
 examples/sensors/data-filter-webhook.yaml     |   2 +-
 examples/sensors/dependencies-conditions.yaml |   2 +-
 examples/sensors/emitter.yaml                 |   2 +-
 examples/sensors/file.yaml                    |   2 +-
 examples/sensors/gcp-pubsub.yaml              |   2 +-
 examples/sensors/github.yaml                  |   2 +-
 examples/sensors/gitlab.yaml                  |   3 +-
 examples/sensors/hdfs.yaml                    |   2 +-
 examples/sensors/kafka.yaml                   |   2 +-
 examples/sensors/minio.yaml                   |   2 +-
 examples/sensors/mqtt-sensor.yaml             |   2 +-
 examples/sensors/multi-dependencies.yaml      |   2 +-
 examples/sensors/multi-trigger-sensor.yaml    |   2 +-
 examples/sensors/nats.yaml                    |   2 +-
 examples/sensors/nsq.yaml                     |   2 +-
 examples/sensors/pulsar.yaml                  |   2 +-
 examples/sensors/redis.yaml                   |   5 +-
 examples/sensors/resource.yaml                |   2 +-
 examples/sensors/slack-trigger.yaml           |   2 -
 examples/sensors/slack.yaml                   |   2 +-
 .../sensors/special-workflow-trigger.yaml     |   3 +-
 examples/sensors/storage-grid.yaml            |   3 +-
 examples/sensors/stripe.yaml                  |   2 +-
 examples/sensors/time-filter-webhook.yaml     |   2 +-
 .../sensors/trigger-source-configmap.yaml     |   2 +-
 examples/sensors/trigger-source-file.yaml     |   2 +-
 examples/sensors/trigger-source-git.yaml      |   2 +-
 .../trigger-standard-k8s-resource.yaml        |   2 +-
 examples/sensors/trigger-with-policy.yaml     |   2 +-
 examples/sensors/trigger-with-template.yaml   |   3 +-
 examples/sensors/url-sensor.yaml              |   2 +-
 examples/sensors/webhook.yaml                 |   3 +-
 .../02-parameterization/sensor-01.yaml        |   3 +-
 .../02-parameterization/sensor-02.yaml        |   3 +-
 .../02-parameterization/sensor-03.yaml        |   3 +-
 .../02-parameterization/sensor-04.yaml        |   3 +-
 .../02-parameterization/sensor-05.yaml        |   3 +-
 .../03-trigger-sources/sensor-cm.yaml         |   2 +-
 .../03-trigger-sources/sensor-git.yaml        |   2 +-
 .../03-trigger-sources/sensor-minio.yaml      |   2 +-
 .../sensor-deployment.yaml                    |   4 +-
 .../04-standard-k8s-resources/sensor-pod.yaml |   3 +-
 .../06-trigger-conditions/sensor-01.yaml      |   4 +-
 .../06-trigger-conditions/sensor-02.yaml      |   3 +-
 .../07-filters/sensor-context-filter.yaml     |   3 +-
 .../07-filters/sensor-data-filters.yaml       |   3 +-
 .../09-http-trigger/http-server.yaml          |   1 -
 .../10-aws-lambda-trigger/sensor.yaml         |   3 -
 .../rbac/argo-events-cluster-role.yaml        |  35 ------
 manifests/install.yaml                        |  35 ------
 manifests/namespace-install.yaml              |  21 ----
 .../rbac/argo-events-role.yaml                |  21 ----
 75 files changed, 313 insertions(+), 338 deletions(-)
 create mode 100644 examples/README.md

diff --git a/docs/concepts/event_source.md b/docs/concepts/event_source.md
index 62e2aff2c51d..f203cc79d748 100644
--- a/docs/concepts/event_source.md
+++ b/docs/concepts/event_source.md
@@ -10,22 +10,24 @@ Available event-sources:
 1. AWS SQS
 1. Azure Events Hub
 1. Cron Schedules
+1. Emitter
+1. File Based Events
 1. GCP PubSub
+1. Generic EventSource
 1. GitHub
 1. GitLab
 1. HDFS
-1. File Based Events
+1. K8s Resources
 1. Kafka
 1. Minio
-1. NATS
 1. MQTT
-1. K8s Resources
+1. NATS
+1. Pulsar
 1. Slack
 1. NetApp StorageGrid
 1. Webhooks
 1. Stripe
 1. NSQ
-1. Emitter
 1. Redis
 
 
diff --git a/docs/eventsources/ha.md b/docs/eventsources/ha.md
index dde7cc56da71..64c2a1254230 100644
--- a/docs/eventsources/ha.md
+++ b/docs/eventsources/ha.md
@@ -53,5 +53,5 @@ old one is gone.
 
 ## More
 
-Check [this](../dr_ha_recommendations.md) out to learn more information about
-DR/HA.
+Click [here](../dr_ha_recommendations.md) to learn more information about Argo
+Events DR/HA recommendations.
diff --git a/docs/eventsources/setup/nats.md b/docs/eventsources/setup/nats.md
index 6611b3f655cb..cd17f750b598 100644
--- a/docs/eventsources/setup/nats.md
+++ b/docs/eventsources/setup/nats.md
@@ -65,7 +65,6 @@ NATS event-source specification is available [here](https://github.com/argoproj/
               labels:
                 component: nats
             spec:
-              serviceAccountName: argo-events-sa
               containers:
               - name: nats
                 image: nats:latest
diff --git a/docs/index.md b/docs/index.md
index d14ead02519e..d6d9032a07e6 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -2,9 +2,10 @@
 
 ## What is Argo Events?
 
-**Argo Events** is an event-driven workflow automation framework for Kubernetes 
-which helps you trigger K8s objects, Argo Workflows, Serverless workloads, etc. 
-on events from variety of sources like webhook, s3, schedules, messaging queues, gcp pubsub, sns, sqs, etc.
+**Argo Events** is an event-driven workflow automation framework for Kubernetes
+which helps you trigger K8s objects, Argo Workflows, Serverless workloads, etc.
+on events from variety of sources like webhook, s3, schedules, messaging queues,
+gcp pubsub, sns, sqs, etc.
 
 <br/>
 <br/>
@@ -17,20 +18,24 @@ on events from variety of sources like webhook, s3, schedules, messaging queues,
 
 ## Features
 
-* Supports events from 20+ event sources.
-* Ability to customize business-level constraint logic for workflow automation.
-* Manage everything from simple, linear, real-time to complex, multi-source events.
-* Supports Kubernetes Objects, Argo Workflow, AWS Lambda, Serverless, etc. as triggers.
-* [CloudEvents](https://cloudevents.io/) compliant.
+- Supports events from 20+ event sources.
+- Ability to customize business-level constraint logic for workflow automation.
+- Manage everything from simple, linear, real-time to complex, multi-source
+  events.
+- Supports Kubernetes Objects, Argo Workflow, AWS Lambda, Serverless, etc. as
+  triggers.
+- [CloudEvents](https://cloudevents.io/) compliant.
 
 ## Getting Started
-Follow these [instruction](https://argoproj.github.io/argo-events/installation/) to set up Argo Events.
+
+Follow these [instruction](https://argoproj.github.io/argo-events/installation/)
+to set up Argo Events.
 
 ## Documentation
 
 - [Concepts](https://argoproj.github.io/argo-events/concepts/architecture/).
 - [Argo Events in action](https://argoproj.github.io/argo-events/quick_start/).
-- [Deep dive into Argo Events](https://argoproj.github.io/argo-events/tutorials/01-introduction/).  
+- [Deep dive into Argo Events](https://argoproj.github.io/argo-events/tutorials/01-introduction/).
 
 ## Triggers
 
@@ -41,30 +46,29 @@ Follow these [instruction](https://argoproj.github.io/argo-events/installation/)
 1. NATS Messages
 1. Kafka Messages
 1. Slack Notifications
+1. Azure Event Hubs Messages
 1. Argo Rollouts
 1. Custom Trigger / Build Your Own Trigger
 1. Apache OpenWhisk
-
+1. Log Trigger
 
 ## Event Sources
 
-Argo-Events supports 20+ event sources. The complete list of event sources is available [here](https://argoproj.github.io/argo-events/concepts/event_source/).
+Argo Events supports 20+ event sources. The complete list of event sources is
+available [here](https://argoproj.github.io/argo-events/concepts/event_source/).
 
 ## Who uses Argo Events?
-Organizations below are **officially** using Argo Events. Please send a PR with your organization name if you are using Argo Events.
 
-1. [BioBox Analytics](https://biobox.io)
-1. [BlackRock](https://www.blackrock.com/)
-1. [Canva](https://www.canva.com/)
-1. [Fairwinds](https://fairwinds.com/)
-1. [InsideBoard](https://www.insideboard.com)
-1. [Intuit](https://www.intuit.com/)
-1. [Viaduct](https://www.viaduct.ai/)
+Check the [list](https://github.com/argoproj/argo-events/blob/master/USERS.md)
+to see who are **officially** using Argo Events. Please send a PR with your
+organization name if you are using Argo Events.
 
 ## Community Blogs and Presentations
 
-* [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
-* [Argo Events - Event-Based Dependency Manager for Kubernetes](https://youtu.be/sUPkGChvD54)
-* [Automating Research Workflows at BlackRock](https://www.youtube.com/watch?v=ZK510prml8o)
-* [Designing A Complete CI/CD Pipeline CI/CD Pipeline Using Argo Events, Workflows, and CD](https://www.slideshare.net/JulianMazzitelli/designing-a-complete-ci-cd-pipeline-using-argo-events-workflow-and-cd-products-228452500)
-* TGI Kubernetes with Joe Beda: [CloudEvents and Argo Events](https://www.youtube.com/watch?v=LQbBgQnUs_k&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=2&t=0s)
+- [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
+- [Argo Events - Event-Based Dependency Manager for Kubernetes](https://youtu.be/sUPkGChvD54)
+- [Argo Events Deep-dive](https://youtu.be/U4tCYcCK20w)
+- [Automating Research Workflows at BlackRock](https://www.youtube.com/watch?v=ZK510prml8o)
+- [Designing A Complete CI/CD Pipeline CI/CD Pipeline Using Argo Events, Workflows, and CD](https://www.slideshare.net/JulianMazzitelli/designing-a-complete-ci-cd-pipeline-using-argo-events-workflow-and-cd-products-228452500)
+- TGI Kubernetes with Joe Beda:
+  [CloudEvents and Argo Events](https://www.youtube.com/watch?v=LQbBgQnUs_k&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=2&t=0s)
diff --git a/docs/sensors/ha.md b/docs/sensors/ha.md
index 3507344de656..9201a52f8988 100644
--- a/docs/sensors/ha.md
+++ b/docs/sensors/ha.md
@@ -9,7 +9,5 @@ elected to be active if the old one is gone.
 **Please DO NOT manually scale up the replicas, that might cause unexpected
 behaviors!**
 
-## More
-
-Check [this](../dr_ha_recommendations.md) out to learn more information about
-DR/HA.
+Click [here](../dr_ha_recommendations.md) to learn more information about Argo
+Events DR/HA recommendations.
diff --git a/docs/sensors/triggers/build-your-own-trigger.md b/docs/sensors/triggers/build-your-own-trigger.md
index a8a12f0e2ce2..15f11fc673d8 100644
--- a/docs/sensors/triggers/build-your-own-trigger.md
+++ b/docs/sensors/triggers/build-your-own-trigger.md
@@ -47,13 +47,6 @@ Let's look at the following sensor,
         metadata:
           name: webhook-sensor
         spec:
-          template:
-            spec:
-              containers:
-                - name: sensor
-                  image: metalgearsolid/sensor:v0.15.0
-                  imagePullPolicy: Always
-              serviceAccountName: argo-events-sa
           dependencies:
             - name: test-dep
               eventSourceName: webhook
diff --git a/docs/sensors/triggers/http-trigger.md b/docs/sensors/triggers/http-trigger.md
index 600be615ab95..53ce9da53e12 100644
--- a/docs/sensors/triggers/http-trigger.md
+++ b/docs/sensors/triggers/http-trigger.md
@@ -184,8 +184,6 @@ to invoke OpenFaas function.
         metadata:
           name: redis-sensor
         spec:
-          template:
-            serviceAccountName: argo-events-sa
           dependencies:
             - name: test-dep
               eventSourceName: redis
@@ -233,8 +231,6 @@ Similar to REST API calls, you can easily invoke Kubeless functions using HTTP t
         metadata:
           name: nats-sensor
         spec:
-          template:
-            serviceAccountName: argo-events-sa
           dependencies:
             - name: test-dep
               eventSourceName: nats
diff --git a/docs/sensors/triggers/k8s-object-trigger.md b/docs/sensors/triggers/k8s-object-trigger.md
index 2da31563cbb4..71359ba4061e 100644
--- a/docs/sensors/triggers/k8s-object-trigger.md
+++ b/docs/sensors/triggers/k8s-object-trigger.md
@@ -30,7 +30,7 @@ set up event-driven pipelines for existing workloads.
           name: webhook
         spec:
           template:
-            serviceAccountName: argo-events-sa
+            serviceAccountName: create-pod-sa # A service account has privileges to create a Pod
           dependencies:
             - name: test-dep
               eventSourceName: webhook
diff --git a/docs/service-accounts.md b/docs/service-accounts.md
index 49d13653ff40..9dfd008d78be 100644
--- a/docs/service-accounts.md
+++ b/docs/service-accounts.md
@@ -32,7 +32,7 @@ A `Service Account` also can be specified in a Sensor object via
 `spec.template.serviceAccountName`, this is only needed when `k8s` trigger or
 `argoWorkflow` trigger is defined in the Sensor object.
 
-The sensor examples provided by us use `argo-events-sa` service account to
+The sensor examples provided by us use `operate-workflow-sa` service account to
 execute the triggers, but it has more permissions than needed, and you may want
 to limit those privileges based on your use-case. It's always a good practice to
 create a service account with minimum privileges to execute it.
diff --git a/docs/tutorials/01-introduction.md b/docs/tutorials/01-introduction.md
index 9edaff5daeb6..17c995c9dd83 100644
--- a/docs/tutorials/01-introduction.md
+++ b/docs/tutorials/01-introduction.md
@@ -1,51 +1,63 @@
 # Introduction
 
-In the tutorials, we will cover every aspect of Argo Events and demonstrate how you 
-can leverage these features to build an event driven workflow pipeline. All the concepts you will learn
-in this tutorial and subsequent ones can be applied to any type of event-source.
+In the tutorials, we will cover every aspect of Argo Events and demonstrate how
+you can leverage these features to build an event driven workflow pipeline. All
+the concepts you will learn in this tutorial and subsequent ones can be applied
+to any type of event-source.
 
 ## Prerequisites
-* Follow the installation guide to set up the Argo Events. 
-* Make sure to configure Argo Workflow controller to listen to workflow objects
-created in `argo-events` namespace.
-* Make sure to read the concepts behind [eventbus](https://argoproj.github.io/argo-events/concepts/eventbus/),
-[sensor](https://argoproj.github.io/argo-events/concepts/sensor/),
-[event source](https://argoproj.github.io/argo-events/concepts/event_source/).
+
+- Follow the installation guide to set up the Argo Events.
+- Make sure to configure Argo Workflow controller to listen to workflow objects
+  created in `argo-events` namespace.
+- Make sure to read the concepts behind
+  [eventbus](https://argoproj.github.io/argo-events/concepts/eventbus/),
+  [sensor](https://argoproj.github.io/argo-events/concepts/sensor/),
+  [event source](https://argoproj.github.io/argo-events/concepts/event_source/).
+- Follow the
+  [instruction](https://github.com/argoproj/argo-events/tree/master/examples) to
+  create a Service Account `operate-workflow-sa` with proper privileges, and
+  make sure the Service Account used by Workflows (here we use `default` in the
+  turorials for demostration purpose) has proper RBAC settings.
 
 ## Get Started
 
-We are going to set up a sensor and event-source for webhook. The goal is to trigger an Argo workflow upon a HTTP Post request.
+We are going to set up a sensor and event-source for webhook. The goal is to
+trigger an Argo workflow upon a HTTP Post request.
 
-* Let' set up the eventbus,
+- Let' set up the eventbus,
 
         kubectl -n argo-events apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/eventbus/native.yaml
 
-* Create the webhook event source.
+- Create the webhook event source.
 
         kubectl -n argo-events apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/event-sources/webhook.yaml
 
-* Create the webhook sensor.
+- Create the webhook sensor.
 
         kubectl -n argo-events apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/sensors/webhook.yaml
-  
-If the commands are executed successfully, the eventbus, event-source and sensor pods will get created. You will
-also notice that a service is created for the event-source. 
 
-* Expose the event-source pod via Ingress, OpenShift Route or port forward to consume requests over HTTP.
+If the commands are executed successfully, the eventbus, event-source and sensor
+pods will get created. You will also notice that a service is created for the
+event-source.
+
+- Expose the event-source pod via Ingress, OpenShift Route or port forward to
+  consume requests over HTTP.
 
         kubectl -n argo-events port-forward <event-source-pod-name> 12000:12000
 
-* Use either Curl or Postman to send a post request to the `http://localhost:12000/example`
+- Use either Curl or Postman to send a post request to the
+  `http://localhost:12000/example`
 
         curl -d '{"message":"this is my first webhook"}' -H "Content-Type: application/json" -X POST http://localhost:12000/example
 
-* Now, you should see an Argo workflow being created.
+- Now, you should see an Argo workflow being created.
 
         kubectl -n argo-events get wf
 
-* Make sure the workflow pod ran successfully.
+- Make sure the workflow pod ran successfully.
 
-        _________________________________________ 
+        _________________________________________
         / {"context":{"type":"webhook","specVersi \
         | on":"0.3","source":"webhook","e |
         | ventID":"38376665363064642d343336352d34 |
@@ -59,39 +71,41 @@ also notice that a service is created for the event-source.
         | FnZW50IjpbImN1cmwvNy41NC4wIl19LCJib2R5I |
         | jp7Im1lc3NhZ2UiOiJ0aGlzIGlzIG15IGZpcnN0 |
         \ IHdlYmhvb2sifX0="}                      /
-         ----------------------------------------- 
+         -----------------------------------------
             \
              \
-              \     
-                            ##        .            
-                      ## ## ##       ==            
-                   ## ## ## ##      ===            
-               /""""""""""""""""___/ ===        
-          ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~   
-               \______ o          __/            
-                \    \        __/             
-                  \____\______/   
-
-
-<b>Note:</b> You will see the message printed in the workflow logs contains both the event context
-and data, with data being base64 encoded. In later sections, we will see how to extract particular key-value
-from event context or data and pass it to the workflow as arguments.
+              \
+                            ##        .
+                      ## ## ##       ==
+                   ## ## ## ##      ===
+               /""""""""""""""""___/ ===
+          ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
+               \______ o          __/
+                \    \        __/
+                  \____\______/
+
+<b>Note:</b> You will see the message printed in the workflow logs contains both
+the event context and data, with data being base64 encoded. In later sections,
+we will see how to extract particular key-value from event context or data and
+pass it to the workflow as arguments.
 
 ## Troubleshoot
 
 If you don't see the event-source and sensor pod in `argo-events` namespace,
 
-  1. Inspect the event-source
-    
-        kubectl -n argo-events get eventsource event-source-object-name -o yaml
+1. Inspect the event-source
+
+   kubectl -n argo-events get eventsource event-source-object-name -o yaml
+
+   Inspect the sensor,
 
-     Inspect the sensor,
+   kubectl -n argo-events get sensor sensor-object-name -o yaml
 
-        kubectl -n argo-events get sensor sensor-object-name -o yaml
+   and look for any errors within the `Status`.
 
-     and look for any errors within the `Status`.
-  2. Make sure the correct Role and RoleBindings are applied to the service account
-     and there are no errors in both event-source and sensor controller.
-  3. Check the logs of event-source and sensor controller. Make sure the controllers
-     have processed the event-source and sensor objects and there are no errors.
-  4. Raise an issue on GitHub or post a question on `argo-events` slack channel.
+2. Make sure the correct Role and RoleBindings are applied to the service
+   account and there are no errors in both event-source and sensor controller.
+3. Check the logs of event-source and sensor controller. Make sure the
+   controllers have processed the event-source and sensor objects and there are
+   no errors.
+4. Raise an issue on GitHub or post a question on `argo-events` slack channel.
diff --git a/docs/tutorials/04-standard-k8s-resources.md b/docs/tutorials/04-standard-k8s-resources.md
index 24d05d166211..55024a6f2893 100644
--- a/docs/tutorials/04-standard-k8s-resources.md
+++ b/docs/tutorials/04-standard-k8s-resources.md
@@ -1,39 +1,63 @@
 # Trigger Standard K8s Resources
-In the previous sections, you saw how to trigger the Argo workflows. In this tutorial, you 
-will see how to trigger Pod and Deployment. 
+
+In the previous sections, you saw how to trigger the Argo workflows. In this
+tutorial, you will see how to trigger Pod and Deployment.
 
 **Note:** You can trigger any standard Kubernetes object.
 
-Having the ability to trigger standard Kubernetes resources is quite powerful as provides an avenue to
-set up pipelines for existing workloads.
+Having the ability to trigger standard Kubernetes resources is quite powerful as
+provides an avenue to set up pipelines for existing workloads.
 
 ## Prerequisites
 
-1. Make sure that `argo-events-sa` service account has necessary permissions to 
-create the Kubernetes resource of your choice.
-2. The `Webhook` event-source is already set up.
+1.  Make sure that the service account used by the Sensor has necessary
+    permissions to create the Kubernetes resource of your choice. We use
+    `k8s-resource-sa` for below examples, it should be bound to a Role like
+    following.
+
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: Role
+        metadata:
+          name: create-deploy-pod-role
+        rules:
+          - apiGroups:
+              - ""
+            resources:
+              - pods
+            verbs:
+              - create
+          - apiGroups:
+              - apps
+            resources:
+              - deployments
+            verbs:
+              - create
+
+2.  The `Webhook` event-source is already set up.
 
 ## Pod
 
-1. Create a sensor with K8s trigger. Pay close attention to the `group`, `version` and `kind`
-   keys within the trigger resource. These keys determine the type of kubernetes object.
-   
-   You will notice that the `group` key is empty, that means we want to use `core` group.
-   For any other groups, you need to specify the `group` key.
+1.  Create a sensor with K8s trigger. Pay close attention to the `group`,
+    `version` and `kind` keys within the trigger resource. These keys determine
+    the type of kubernetes object.
+
+    You will notice that the `group` key is empty, that means we want to use
+    `core` group. For any other groups, you need to specify the `group` key.
 
-        kubectl -n argo-events apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/tutorials/04-standard-k8s-resources/sensor-pod.yaml
+         kubectl -n argo-events apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/tutorials/04-standard-k8s-resources/sensor-pod.yaml
 
-2. Use either Curl or Postman to send a post request to the `http://localhost:12000/example`
+2.  Use either Curl or Postman to send a post request to the
+    `http://localhost:12000/example`
 
         curl -d '{"message":"ok"}' -H "Content-Type: application/json" -X POST http://localhost:12000/example
-   
-3. Now, you should see a pod being created.
+
+3.  Now, you should see a pod being created.
 
         kubectl -n argo-events get po
-  
-  Output
 
-        _________________________________________ 
+Output
+
+        _________________________________________
         / {"context":{"type":"webhook","specVersi \
         | on":"0.3","source":"webhook","e |
         | ventID":"30306463666539362d346666642d34 |
@@ -46,35 +70,37 @@ create the Kubernetes resource of your choice.
         | iOlsiYXBwbGljYXRpb24vanNvbiJdLCJVc2VyLU |
         | FnZW50IjpbImN1cmwvNy41NC4wIl19LCJib2R5I |
         \ jp7Im1lc3NhZ2UiOiJoZXkhISJ9fQ=="}       /
-        ----------------------------------------- 
+        -----------------------------------------
           \
            \
-            \     
-                          ##        .            
-                    ## ## ##       ==            
-                 ## ## ## ##      ===            
-             /""""""""""""""""___/ ===        
-        ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~   
-             \______ o          __/            
-              \    \        __/             
-                \____\______/   
+            \
+                          ##        .
+                    ## ## ##       ==
+                 ## ## ## ##      ===
+             /""""""""""""""""___/ ===
+        ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
+             \______ o          __/
+              \    \        __/
+                \____\______/
 
 ## Deployment
-1. Lets create a sensor with a K8s deployment as trigger.
+
+1.  Lets create a sensor with a K8s deployment as trigger.
 
         kubectl -n argo-events apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/tutorials/04-standard-k8s-resources/sensor-deployment.yaml
 
-2. Use either Curl or Postman to send a post request to the `http://localhost:12000/example`
+2.  Use either Curl or Postman to send a post request to the
+    `http://localhost:12000/example`
 
         curl -d '{"message":"ok"}' -H "Content-Type: application/json" -X POST http://localhost:12000/example
-   
-3. Now, you should see a deployment being created. Get the corresponding pod.
+
+3.  Now, you should see a deployment being created. Get the corresponding pod.
 
         kubectl -n argo-events get deployments
 
-  Output
-        
-        _________________________________________ 
+Output
+
+        _________________________________________
         / {"context":{"type":"webhook","specVersi \
         | on":"0.3","source":"webhook","e |
         | ventID":"30306463666539362d346666642d34 |
@@ -87,15 +113,15 @@ create the Kubernetes resource of your choice.
         | iOlsiYXBwbGljYXRpb24vanNvbiJdLCJVc2VyLU |
         | FnZW50IjpbImN1cmwvNy41NC4wIl19LCJib2R5I |
         \ jp7Im1lc3NhZ2UiOiJoZXkhISJ9fQ=="}       /
-        ----------------------------------------- 
+        -----------------------------------------
           \
            \
-            \     
-                          ##        .            
-                    ## ## ##       ==            
-                 ## ## ## ##      ===            
-             /""""""""""""""""___/ ===        
-        ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~   
-             \______ o          __/            
-              \    \        __/             
-                \____\______/   
+            \
+                          ##        .
+                    ## ## ##       ==
+                 ## ## ## ##      ===
+             /""""""""""""""""___/ ===
+        ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
+             \______ o          __/
+              \    \        __/
+                \____\______/
diff --git a/examples/README.md b/examples/README.md
new file mode 100644
index 000000000000..4127dfec31ad
--- /dev/null
+++ b/examples/README.md
@@ -0,0 +1,83 @@
+# Examples
+
+The examples demostrate how Argo Events works.
+
+To make the Sensors be able to trigger Workflows, a Service Account with RBAC
+settings as following is required (assume you run the examples in the namespace
+`argo-events`).
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: argo-events
+  name: operate-workflow-sa
+---
+# Similarly you can use a ClusterRole and ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operate-workflow-role
+  namespace: argo-events
+rules:
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - "*"
+    resources:
+      - workflows
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operate-workflow-role-binding
+  namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operate-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: operate-workflow-sa
+```
+
+To make the Workflow triggered by the Sensor work, you also need to give a
+Service Account with privileges to the Workflow (the examples use Service
+Account `default`), see the detail
+[here](https://github.com/argoproj/argo-workflows/blob/master/docs/service-accounts.md).
+A minimal Role to make Workflow work looks like following (check the
+[origin](https://github.com/argoproj/argo-workflows/blob/master/docs/workflow-rbac.md)):
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: workflow-role
+rules:
+  # pod get/watch is used to identify the container IDs of the current pod
+  # pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - patch
+  # logs get/watch are used to get the pods logs for script outputs, and for log archival
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+      - watch
+```
+
+The Workflow triggered by the Sensor defaults to be in the same namespace as the
+Sensor, if you want to trigger it in a different namespace, simply give a
+`namespace` in the workflow metadata (in that case, a `ClusterRole` and
+`ClusterRoleBinding` are required for `operate-workflow-sa`).
diff --git a/examples/event-sources/resource.yaml b/examples/event-sources/resource.yaml
index 7602a9affb05..121efc73f19b 100644
--- a/examples/event-sources/resource.yaml
+++ b/examples/event-sources/resource.yaml
@@ -4,7 +4,7 @@ metadata:
   name: resource
 spec:
   template:
-    serviceAccountName: argo-events-sa # assign a service account with `get`, `list` and `watch` permissions on the resource being watched.
+    serviceAccountName: your-service-account # assign a service account with `get`, `list` and `watch` permissions on the resource being watched.
   resource:
     example:
       # namespace to listen events within
diff --git a/examples/sensors/amqp.yaml b/examples/sensors/amqp.yaml
index 5e585205f94a..a468d30a8b27 100644
--- a/examples/sensors/amqp.yaml
+++ b/examples/sensors/amqp.yaml
@@ -4,7 +4,7 @@ metadata:
   name: amqp
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: amqp
diff --git a/examples/sensors/aws-sns.yaml b/examples/sensors/aws-sns.yaml
index 0f9d2faacba6..9b46c6d8e0e2 100644
--- a/examples/sensors/aws-sns.yaml
+++ b/examples/sensors/aws-sns.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-sns
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: aws-sns
diff --git a/examples/sensors/aws-sqs.yaml b/examples/sensors/aws-sqs.yaml
index 831331f8a63f..4000550a7b27 100644
--- a/examples/sensors/aws-sqs.yaml
+++ b/examples/sensors/aws-sqs.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-sqs
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: aws-sqs
@@ -24,7 +24,6 @@ spec:
               metadata:
                 generateName: aws-sqs-workflow-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 arguments:
                   parameters:
diff --git a/examples/sensors/azure-events-hub.yaml b/examples/sensors/azure-events-hub.yaml
index c9f8cfc79bb2..e4c4633f8859 100644
--- a/examples/sensors/azure-events-hub.yaml
+++ b/examples/sensors/azure-events-hub.yaml
@@ -4,7 +4,7 @@ metadata:
   name: azure-events-hub
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: azure-events-hub
diff --git a/examples/sensors/calendar.yaml b/examples/sensors/calendar.yaml
index f13eaedac494..7d03d2993dd7 100644
--- a/examples/sensors/calendar.yaml
+++ b/examples/sensors/calendar.yaml
@@ -4,7 +4,7 @@ metadata:
   name: calendar
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: calendar
diff --git a/examples/sensors/complete-trigger-parameterization.yaml b/examples/sensors/complete-trigger-parameterization.yaml
index 60b7332e1b71..1ebfc7346442 100644
--- a/examples/sensors/complete-trigger-parameterization.yaml
+++ b/examples/sensors/complete-trigger-parameterization.yaml
@@ -22,7 +22,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/context-filter-webhook.yaml b/examples/sensors/context-filter-webhook.yaml
index 6562fb655477..1c9138129e14 100644
--- a/examples/sensors/context-filter-webhook.yaml
+++ b/examples/sensors/context-filter-webhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/custom-trigger.yaml b/examples/sensors/custom-trigger.yaml
index 912da37e9752..0aaf51b51e30 100644
--- a/examples/sensors/custom-trigger.yaml
+++ b/examples/sensors/custom-trigger.yaml
@@ -3,8 +3,6 @@ kind: Sensor
 metadata:
   name: webhook
 spec:
-  template:
-    serviceAccountName: argo-events-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/data-filter-comparator-webhook.yaml b/examples/sensors/data-filter-comparator-webhook.yaml
index 508096c5637e..22efdcd8a68f 100644
--- a/examples/sensors/data-filter-comparator-webhook.yaml
+++ b/examples/sensors/data-filter-comparator-webhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/data-filter-value-webhook.yaml b/examples/sensors/data-filter-value-webhook.yaml
index 078e4b4f1a26..83ca63b03e27 100644
--- a/examples/sensors/data-filter-value-webhook.yaml
+++ b/examples/sensors/data-filter-value-webhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/data-filter-webhook.yaml b/examples/sensors/data-filter-webhook.yaml
index 8e9951e1e026..a689a442a4fc 100644
--- a/examples/sensors/data-filter-webhook.yaml
+++ b/examples/sensors/data-filter-webhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/dependencies-conditions.yaml b/examples/sensors/dependencies-conditions.yaml
index 71ea452fb199..fc24a22d067e 100644
--- a/examples/sensors/dependencies-conditions.yaml
+++ b/examples/sensors/dependencies-conditions.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   # defines list of all events sensor will accept
   dependencies:
     - name: test-dep
diff --git a/examples/sensors/emitter.yaml b/examples/sensors/emitter.yaml
index f06c8369e044..9d5bfbda574b 100644
--- a/examples/sensors/emitter.yaml
+++ b/examples/sensors/emitter.yaml
@@ -4,7 +4,7 @@ metadata:
   name: emitter
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: emitter
diff --git a/examples/sensors/file.yaml b/examples/sensors/file.yaml
index 045f2a6c2bbc..97e3734ad0ff 100644
--- a/examples/sensors/file.yaml
+++ b/examples/sensors/file.yaml
@@ -4,7 +4,7 @@ metadata:
   name: file
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: file
diff --git a/examples/sensors/gcp-pubsub.yaml b/examples/sensors/gcp-pubsub.yaml
index 56bf0354ddf3..d385fc9f9fa9 100644
--- a/examples/sensors/gcp-pubsub.yaml
+++ b/examples/sensors/gcp-pubsub.yaml
@@ -4,7 +4,7 @@ metadata:
   name: gcp-pubsub
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: gcp-pubsub
diff --git a/examples/sensors/github.yaml b/examples/sensors/github.yaml
index a68ba84da6b7..373b65f07208 100644
--- a/examples/sensors/github.yaml
+++ b/examples/sensors/github.yaml
@@ -4,7 +4,7 @@ metadata:
   name: github
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: github
diff --git a/examples/sensors/gitlab.yaml b/examples/sensors/gitlab.yaml
index 51ca07fd0212..fe109de15667 100644
--- a/examples/sensors/gitlab.yaml
+++ b/examples/sensors/gitlab.yaml
@@ -4,7 +4,7 @@ metadata:
   name: gitlab
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: gitlab
@@ -32,7 +32,6 @@ spec:
                     value: hello world
                 templates:
                 - name: whalesay
-                  serviceAccountName: argo-events-sa
                   inputs:
                     parameters:
                     - name: message
diff --git a/examples/sensors/hdfs.yaml b/examples/sensors/hdfs.yaml
index c81a555c0c37..3cb3824c4146 100644
--- a/examples/sensors/hdfs.yaml
+++ b/examples/sensors/hdfs.yaml
@@ -4,7 +4,7 @@ metadata:
   name: hdfs
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: hdfs
diff --git a/examples/sensors/kafka.yaml b/examples/sensors/kafka.yaml
index 16d989ecda07..3303a488ba2e 100644
--- a/examples/sensors/kafka.yaml
+++ b/examples/sensors/kafka.yaml
@@ -4,7 +4,7 @@ metadata:
   name: kafka
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: kafka
diff --git a/examples/sensors/minio.yaml b/examples/sensors/minio.yaml
index bb7c7bf545c6..86e9a4489a58 100644
--- a/examples/sensors/minio.yaml
+++ b/examples/sensors/minio.yaml
@@ -4,7 +4,7 @@ metadata:
   name: minio
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: minio
diff --git a/examples/sensors/mqtt-sensor.yaml b/examples/sensors/mqtt-sensor.yaml
index fd5d8fbe9a18..51cb400b7573 100644
--- a/examples/sensors/mqtt-sensor.yaml
+++ b/examples/sensors/mqtt-sensor.yaml
@@ -4,7 +4,7 @@ metadata:
   name: mqtt
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: mqtt
diff --git a/examples/sensors/multi-dependencies.yaml b/examples/sensors/multi-dependencies.yaml
index b1e57ed02df5..5da02dd81c88 100644
--- a/examples/sensors/multi-dependencies.yaml
+++ b/examples/sensors/multi-dependencies.yaml
@@ -4,7 +4,7 @@ metadata:
   name: multi-dependencies
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   # waits for both test-dependency-webhook and test-dependency-calendar to resolve
   dependencies:
     - name: test-dependency-webhook
diff --git a/examples/sensors/multi-trigger-sensor.yaml b/examples/sensors/multi-trigger-sensor.yaml
index c678b95e3d98..e7bcd5f52bea 100644
--- a/examples/sensors/multi-trigger-sensor.yaml
+++ b/examples/sensors/multi-trigger-sensor.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dependency
       eventSourceName: webhook
diff --git a/examples/sensors/nats.yaml b/examples/sensors/nats.yaml
index 987baa2b542e..d2bb151d4164 100644
--- a/examples/sensors/nats.yaml
+++ b/examples/sensors/nats.yaml
@@ -4,7 +4,7 @@ metadata:
   name: nats
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: nats
diff --git a/examples/sensors/nsq.yaml b/examples/sensors/nsq.yaml
index c98f8ebc3c40..0c9da6e2097a 100644
--- a/examples/sensors/nsq.yaml
+++ b/examples/sensors/nsq.yaml
@@ -4,7 +4,7 @@ metadata:
   name: nsq
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: nsq
diff --git a/examples/sensors/pulsar.yaml b/examples/sensors/pulsar.yaml
index a44e2774abcc..345e302845c2 100644
--- a/examples/sensors/pulsar.yaml
+++ b/examples/sensors/pulsar.yaml
@@ -4,7 +4,7 @@ metadata:
   name: pulsar
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: pulsar
diff --git a/examples/sensors/redis.yaml b/examples/sensors/redis.yaml
index 4125b82d5975..a63c16fb09f8 100644
--- a/examples/sensors/redis.yaml
+++ b/examples/sensors/redis.yaml
@@ -4,7 +4,7 @@ metadata:
   name: redis
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: redis
@@ -26,8 +26,7 @@ spec:
               spec:
                 entrypoint: whalesay
                 templates:
-                  -
-                    container:
+                  - container:
                       args:
                         - "hello" # it will get replaced by the event payload
                       command:
diff --git a/examples/sensors/resource.yaml b/examples/sensors/resource.yaml
index e430110716a3..49d8dad08820 100644
--- a/examples/sensors/resource.yaml
+++ b/examples/sensors/resource.yaml
@@ -4,7 +4,7 @@ metadata:
   name: resource
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: resource
diff --git a/examples/sensors/slack-trigger.yaml b/examples/sensors/slack-trigger.yaml
index b4a59736974f..343c8f9f002a 100644
--- a/examples/sensors/slack-trigger.yaml
+++ b/examples/sensors/slack-trigger.yaml
@@ -3,8 +3,6 @@ kind: Sensor
 metadata:
   name: webhook
 spec:
-  template:
-    serviceAccountName: argo-events-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/slack.yaml b/examples/sensors/slack.yaml
index a460f235878f..6aaaf258c797 100644
--- a/examples/sensors/slack.yaml
+++ b/examples/sensors/slack.yaml
@@ -4,7 +4,7 @@ metadata:
   name: slack
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: slack
diff --git a/examples/sensors/special-workflow-trigger.yaml b/examples/sensors/special-workflow-trigger.yaml
index 0caac1b856d7..b20fd29edd9c 100644
--- a/examples/sensors/special-workflow-trigger.yaml
+++ b/examples/sensors/special-workflow-trigger.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                       value: hello world
                 templates:
                   - name: whalesay
-                    serviceAccountName: argo-events-sa
                     inputs:
                       parameters:
                         - name: message
diff --git a/examples/sensors/storage-grid.yaml b/examples/sensors/storage-grid.yaml
index 93d74bda2cc5..f0094029d278 100644
--- a/examples/sensors/storage-grid.yaml
+++ b/examples/sensors/storage-grid.yaml
@@ -4,7 +4,7 @@ metadata:
   name: storage-grid
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: storage-grid
@@ -24,7 +24,6 @@ spec:
               metadata:
                 generateName: storage-grid-wf-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 arguments:
                   parameters:
diff --git a/examples/sensors/stripe.yaml b/examples/sensors/stripe.yaml
index 25f0be21141e..27c2d5b81dd8 100644
--- a/examples/sensors/stripe.yaml
+++ b/examples/sensors/stripe.yaml
@@ -4,7 +4,7 @@ metadata:
   name: stripe
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: stripe
diff --git a/examples/sensors/time-filter-webhook.yaml b/examples/sensors/time-filter-webhook.yaml
index 48382d790f71..16e102ef0dcd 100644
--- a/examples/sensors/time-filter-webhook.yaml
+++ b/examples/sensors/time-filter-webhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/trigger-source-configmap.yaml b/examples/sensors/trigger-source-configmap.yaml
index 8e4becd250df..015ad8dd31ed 100644
--- a/examples/sensors/trigger-source-configmap.yaml
+++ b/examples/sensors/trigger-source-configmap.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/trigger-source-file.yaml b/examples/sensors/trigger-source-file.yaml
index 59ae27cca027..c32d72cf47dd 100644
--- a/examples/sensors/trigger-source-file.yaml
+++ b/examples/sensors/trigger-source-file.yaml
@@ -12,7 +12,7 @@ spec:
       - name: workflow-file
         configMap:
           name: configmap-that-contains-the-workflow-definition
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/trigger-source-git.yaml b/examples/sensors/trigger-source-git.yaml
index 11c2862bee81..36087a2cfa18 100644
--- a/examples/sensors/trigger-source-git.yaml
+++ b/examples/sensors/trigger-source-git.yaml
@@ -15,7 +15,7 @@ spec:
         emptyDir: {}
       - name: argoproj1
         emptyDir: {}
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/trigger-standard-k8s-resource.yaml b/examples/sensors/trigger-standard-k8s-resource.yaml
index a15b00f752aa..a97e5cfad1dc 100644
--- a/examples/sensors/trigger-standard-k8s-resource.yaml
+++ b/examples/sensors/trigger-standard-k8s-resource.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/trigger-with-policy.yaml b/examples/sensors/trigger-with-policy.yaml
index 6e648c58b286..e0d365da144c 100644
--- a/examples/sensors/trigger-with-policy.yaml
+++ b/examples/sensors/trigger-with-policy.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/trigger-with-template.yaml b/examples/sensors/trigger-with-template.yaml
index 97273cb03617..1ecb2e80cd63 100644
--- a/examples/sensors/trigger-with-template.yaml
+++ b/examples/sensors/trigger-with-template.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -31,7 +31,6 @@ spec:
                   - name: subject
                 templates:
                 - name: whalesay
-                  serviceAccountName: argo-events-sa
                   inputs:
                     parameters:
                     - name: message
diff --git a/examples/sensors/url-sensor.yaml b/examples/sensors/url-sensor.yaml
index 47000521c4c3..b8675ae24a3c 100644
--- a/examples/sensors/url-sensor.yaml
+++ b/examples/sensors/url-sensor.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/sensors/webhook.yaml b/examples/sensors/webhook.yaml
index 0d42bfccfd60..79a3d988b993 100644
--- a/examples/sensors/webhook.yaml
+++ b/examples/sensors/webhook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                     value: hello world
                 templates:
                 - name: whalesay
-                  serviceAccountName: argo-events-sa
                   inputs:
                     parameters:
                     - name: message
diff --git a/examples/tutorials/02-parameterization/sensor-01.yaml b/examples/tutorials/02-parameterization/sensor-01.yaml
index a01f3a3b34b1..bd46a341e3d6 100644
--- a/examples/tutorials/02-parameterization/sensor-01.yaml
+++ b/examples/tutorials/02-parameterization/sensor-01.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                       value: hello world
                 templates:
                   - name: whalesay
-                    serviceAccountName: argo-events-sa
                     inputs:
                       parameters:
                         - name: message
diff --git a/examples/tutorials/02-parameterization/sensor-02.yaml b/examples/tutorials/02-parameterization/sensor-02.yaml
index 98cee2dd7daa..90dec171189d 100644
--- a/examples/tutorials/02-parameterization/sensor-02.yaml
+++ b/examples/tutorials/02-parameterization/sensor-02.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                       value: hello world
                 templates:
                   - name: whalesay
-                    serviceAccountName: argo-events-sa
                     inputs:
                       parameters:
                         - name: message
diff --git a/examples/tutorials/02-parameterization/sensor-03.yaml b/examples/tutorials/02-parameterization/sensor-03.yaml
index f98b9943f6c5..1caf3b2c408c 100644
--- a/examples/tutorials/02-parameterization/sensor-03.yaml
+++ b/examples/tutorials/02-parameterization/sensor-03.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                       value: hello world
                 templates:
                   - name: whalesay
-                    serviceAccountName: argo-events-sa
                     inputs:
                       parameters:
                         - name: message
diff --git a/examples/tutorials/02-parameterization/sensor-04.yaml b/examples/tutorials/02-parameterization/sensor-04.yaml
index 9af68b6a78ae..532cfb79b38f 100644
--- a/examples/tutorials/02-parameterization/sensor-04.yaml
+++ b/examples/tutorials/02-parameterization/sensor-04.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                       value: hello world
                 templates:
                   - name: whalesay
-                    serviceAccountName: argo-events-sa
                     inputs:
                       parameters:
                         - name: message
diff --git a/examples/tutorials/02-parameterization/sensor-05.yaml b/examples/tutorials/02-parameterization/sensor-05.yaml
index bcdb16db2c81..077ce370af77 100644
--- a/examples/tutorials/02-parameterization/sensor-05.yaml
+++ b/examples/tutorials/02-parameterization/sensor-05.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -32,7 +32,6 @@ spec:
                       value: hello world
                 templates:
                   - name: whalesay
-                    serviceAccountName: argo-events-sa
                     inputs:
                       parameters:
                         - name: message
diff --git a/examples/tutorials/03-trigger-sources/sensor-cm.yaml b/examples/tutorials/03-trigger-sources/sensor-cm.yaml
index d0f4950c43da..10c219367df8 100644
--- a/examples/tutorials/03-trigger-sources/sensor-cm.yaml
+++ b/examples/tutorials/03-trigger-sources/sensor-cm.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/tutorials/03-trigger-sources/sensor-git.yaml b/examples/tutorials/03-trigger-sources/sensor-git.yaml
index 89a3e0bb481c..e91dc412f927 100644
--- a/examples/tutorials/03-trigger-sources/sensor-git.yaml
+++ b/examples/tutorials/03-trigger-sources/sensor-git.yaml
@@ -24,7 +24,7 @@ spec:
       - name: known-hosts
         secret:
           secretName: git-known-hosts
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/tutorials/03-trigger-sources/sensor-minio.yaml b/examples/tutorials/03-trigger-sources/sensor-minio.yaml
index 039b123247f1..880073e7be32 100644
--- a/examples/tutorials/03-trigger-sources/sensor-minio.yaml
+++ b/examples/tutorials/03-trigger-sources/sensor-minio.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
diff --git a/examples/tutorials/04-standard-k8s-resources/sensor-deployment.yaml b/examples/tutorials/04-standard-k8s-resources/sensor-deployment.yaml
index c5a3f64c8aa7..23e9cafcb2e6 100644
--- a/examples/tutorials/04-standard-k8s-resources/sensor-deployment.yaml
+++ b/examples/tutorials/04-standard-k8s-resources/sensor-deployment.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: k8s-resource-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -24,7 +24,6 @@ spec:
               metadata:
                 generateName: hello-world-
               spec:
-                serviceAccountName: argo-events-sa
                 replicas: 1
                 selector:
                   matchLabels:
@@ -34,7 +33,6 @@ spec:
                     labels:
                       app: mydeploy
                   spec:
-                    serviceAccountName: argo-events-sa
                     containers:
                       - name: hello-container
                         args:
diff --git a/examples/tutorials/04-standard-k8s-resources/sensor-pod.yaml b/examples/tutorials/04-standard-k8s-resources/sensor-pod.yaml
index 58dc0f00c2bc..8e0eaf1e922b 100644
--- a/examples/tutorials/04-standard-k8s-resources/sensor-pod.yaml
+++ b/examples/tutorials/04-standard-k8s-resources/sensor-pod.yaml
@@ -4,7 +4,7 @@ metadata:
   name: webhook
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: k8s-resource-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -24,7 +24,6 @@ spec:
               metadata:
                 generateName: hello-world-
               spec:
-                serviceAccountName: argo-events-sa
                 containers:
                   - name: hello-container
                     args:
diff --git a/examples/tutorials/06-trigger-conditions/sensor-01.yaml b/examples/tutorials/06-trigger-conditions/sensor-01.yaml
index 7649b2c3c01a..b9ae5f01df6c 100644
--- a/examples/tutorials/06-trigger-conditions/sensor-01.yaml
+++ b/examples/tutorials/06-trigger-conditions/sensor-01.yaml
@@ -4,7 +4,7 @@ metadata:
   name: circuit
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep-webhook
       eventSourceName: webhook
@@ -31,7 +31,6 @@ spec:
               metadata:
                 generateName: group-1-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 templates:
                   - name: whalesay
@@ -61,7 +60,6 @@ spec:
               metadata:
                 generateName: group-2-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 templates:
                   - name: whalesay
diff --git a/examples/tutorials/06-trigger-conditions/sensor-02.yaml b/examples/tutorials/06-trigger-conditions/sensor-02.yaml
index 993a5fab2067..3f904eb57973 100644
--- a/examples/tutorials/06-trigger-conditions/sensor-02.yaml
+++ b/examples/tutorials/06-trigger-conditions/sensor-02.yaml
@@ -4,7 +4,7 @@ metadata:
   name: circuit
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep-webhook
       eventSourceName: webhook
@@ -29,7 +29,6 @@ spec:
               metadata:
                 generateName: group-1-and-2-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 templates:
                   - name: whalesay
diff --git a/examples/tutorials/07-filters/sensor-context-filter.yaml b/examples/tutorials/07-filters/sensor-context-filter.yaml
index 644082709dd5..d125f74947da 100644
--- a/examples/tutorials/07-filters/sensor-context-filter.yaml
+++ b/examples/tutorials/07-filters/sensor-context-filter.yaml
@@ -4,7 +4,7 @@ metadata:
   name: context-filter
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -27,7 +27,6 @@ spec:
               metadata:
                 generateName: data-workflow-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 arguments:
                   parameters:
diff --git a/examples/tutorials/07-filters/sensor-data-filters.yaml b/examples/tutorials/07-filters/sensor-data-filters.yaml
index b18740bbfeae..335d63c5b66b 100644
--- a/examples/tutorials/07-filters/sensor-data-filters.yaml
+++ b/examples/tutorials/07-filters/sensor-data-filters.yaml
@@ -4,7 +4,7 @@ metadata:
   name: data-filter
 spec:
   template:
-    serviceAccountName: argo-events-sa
+    serviceAccountName: operate-workflow-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -31,7 +31,6 @@ spec:
               metadata:
                 generateName: data-workflow-
               spec:
-                serviceAccountName: argo-events-sa
                 entrypoint: whalesay
                 arguments:
                   parameters:
diff --git a/examples/tutorials/09-http-trigger/http-server.yaml b/examples/tutorials/09-http-trigger/http-server.yaml
index 4bb89ae658d5..b4d09564fa9c 100644
--- a/examples/tutorials/09-http-trigger/http-server.yaml
+++ b/examples/tutorials/09-http-trigger/http-server.yaml
@@ -5,7 +5,6 @@ metadata:
   labels:
     app: http-server
 spec:
-  serviceAccountName: argo-events-sa
   containers:
     - name: http-server
       image: metalgearsolid/http-server
diff --git a/examples/tutorials/10-aws-lambda-trigger/sensor.yaml b/examples/tutorials/10-aws-lambda-trigger/sensor.yaml
index 2cb6465a4aff..2aaa92612afb 100644
--- a/examples/tutorials/10-aws-lambda-trigger/sensor.yaml
+++ b/examples/tutorials/10-aws-lambda-trigger/sensor.yaml
@@ -3,8 +3,6 @@ kind: Sensor
 metadata:
   name: webhook
 spec:
-  template:
-    serviceAccountName: argo-events-sa
   dependencies:
     - name: test-dep
       eventSourceName: webhook
@@ -20,7 +18,6 @@ spec:
           secretKey:
             name: aws-secret
             key: secretkey
-          namespace: argo-events
           region: us-east-1
           payload:
             - src:
diff --git a/manifests/cluster-install/rbac/argo-events-cluster-role.yaml b/manifests/cluster-install/rbac/argo-events-cluster-role.yaml
index 5cc567b6bb28..0f75111f6607 100644
--- a/manifests/cluster-install/rbac/argo-events-cluster-role.yaml
+++ b/manifests/cluster-install/rbac/argo-events-cluster-role.yaml
@@ -3,20 +3,6 @@ kind: ClusterRole
 metadata:
   name: argo-events-role
 rules:
-  - apiGroups:
-      - apiextensions.k8s.io
-      - apiextensions.k8s.io/v1beta1
-    verbs:
-      - create
-      - delete
-      - deletecollection
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    resources:
-      - customresourcedefinitions
   - apiGroups:
       - argoproj.io
     verbs:
@@ -29,14 +15,6 @@ rules:
       - update
       - watch
     resources:
-      - workflows
-      - workflows/finalizers
-      - workflowtemplates
-      - workflowtemplates/finalizers
-      - cronworkflows
-      - cronworkflows/finalizers
-      - clusterworkflowtemplates
-      - clusterworkflowtemplates/finalizers
       - sensors
       - sensors/finalizers
       - sensors/status
@@ -54,7 +32,6 @@ rules:
       - configmaps
       - secrets
       - services
-      - events
       - persistentvolumeclaims
     verbs:
       - create
@@ -64,18 +41,6 @@ rules:
       - update
       - patch
       - delete
-  - apiGroups:
-      - batch
-    resources:
-      - jobs
-    verbs:
-      - create
-      - get
-      - list
-      - watch
-      - update
-      - patch
-      - delete
   - apiGroups:
       - apps
     resources:
diff --git a/manifests/install.yaml b/manifests/install.yaml
index 1558173928ab..cbbac07c9c81 100644
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -211,31 +211,9 @@ kind: ClusterRole
 metadata:
   name: argo-events-role
 rules:
-- apiGroups:
-  - apiextensions.k8s.io
-  - apiextensions.k8s.io/v1beta1
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - argoproj.io
   resources:
-  - workflows
-  - workflows/finalizers
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  - cronworkflows
-  - cronworkflows/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
   - sensors
   - sensors/finalizers
   - sensors/status
@@ -262,7 +240,6 @@ rules:
   - configmaps
   - secrets
   - services
-  - events
   - persistentvolumeclaims
   verbs:
   - create
@@ -272,18 +249,6 @@ rules:
   - update
   - patch
   - delete
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
 - apiGroups:
   - apps
   resources:
diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
index 9a48ad4734d0..bbf31cd6d944 100644
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -133,14 +133,6 @@ rules:
 - apiGroups:
   - argoproj.io
   resources:
-  - workflows
-  - workflows/finalizers
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  - cronworkflows
-  - cronworkflows/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
   - sensors
   - sensors/finalizers
   - sensors/status
@@ -167,7 +159,6 @@ rules:
   - configmaps
   - secrets
   - services
-  - events
   - persistentvolumeclaims
   verbs:
   - create
@@ -177,18 +168,6 @@ rules:
   - update
   - patch
   - delete
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
 - apiGroups:
   - apps
   resources:
diff --git a/manifests/namespace-install/rbac/argo-events-role.yaml b/manifests/namespace-install/rbac/argo-events-role.yaml
index f893e3643592..aa79885438cf 100644
--- a/manifests/namespace-install/rbac/argo-events-role.yaml
+++ b/manifests/namespace-install/rbac/argo-events-role.yaml
@@ -15,14 +15,6 @@ rules:
       - update
       - watch
     resources:
-      - workflows
-      - workflows/finalizers
-      - workflowtemplates
-      - workflowtemplates/finalizers
-      - cronworkflows
-      - cronworkflows/finalizers
-      - clusterworkflowtemplates
-      - clusterworkflowtemplates/finalizers
       - sensors
       - sensors/finalizers
       - sensors/status
@@ -40,7 +32,6 @@ rules:
       - configmaps
       - secrets
       - services
-      - events
       - persistentvolumeclaims
     verbs:
       - create
@@ -50,18 +41,6 @@ rules:
       - update
       - patch
       - delete
-  - apiGroups:
-      - batch
-    resources:
-      - jobs
-    verbs:
-      - create
-      - get
-      - list
-      - watch
-      - update
-      - patch
-      - delete
   - apiGroups:
       - apps
     resources: