kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ServiceAccount}}-role
  namespace: {{NAMESPACE}}
rules:
  - apiGroups: [""]
    resources: ["pods","pods/exec","configmaps","services"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["batch", "extensions"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]  
  - apiGroups: [""]
    resources: ["events","pods/log","serviceaccounts", "secrets","endpoints"]
    verbs: ["list", "get", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["create", "delete", "get", "list"]
  - apiGroups: ["argoproj.io"]
    resources: ["workflows","workflows/finalizers"]
    verbs: ["*"]
  - apiGroups: ["argoproj.io"]
    resources: ["workflowtemplates","workflowtemplates/finalizers"]
    verbs: ["get", "list", "watch"]
    
  
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ServiceAccount}}-role-binding
  namespace: {{NAMESPACE}}
subjects:
  - kind: ServiceAccount
    name: {{ServiceAccount}}
    namespace: {{NAMESPACE}}
roleRef:
  kind: Role
  name: {{ServiceAccount}}-role
  apiGroup: rbac.authorization.k8s.io