Skip to content

Argo Workflows RBAC Quick Fix - Access Control Errors

DodaTech Updated 2026-06-26 1 min read

Argo Workflows RBAC controls user permissions for workflow operations. Incorrect RBAC policies prevent users from submitting or viewing workflows. This guide covers the fix.

Quick Fix

Wrong

apiVersion: v1
kind: ConfigMap
metadata:
  name: argo-rbac-config
data:
  policy.csv: |
    p, role:developer, workflows, create, *, allow

The issue: missing g (group mapping) lines, no namespace restriction, and no get permission. Developers can create but not list or view workflows.

apiVersion: v1
kind: ConfigMap
metadata:
  name: argo-rbac-config
data:
  policy.csv: |
    p, role:developer, workflows, create, default/*, allow
    p, role:developer, workflows, get, default/*, allow
    p, role:developer, workflows, list, default/*, allow
    g, alice@example.com, role:developer
    g, dev-team, role:developer
# Expected output after applying the fix
# Developer can create, get, and list workflows in default namespace
# RBAC enforced via SSO or basic auth
# Unauthorized operations return 403 Forbidden
# Audit logs show user identity for each operation

Prevention

  • Define both permissions (p) and group mappings (g) in policy
  • Use namespace-scoped permissions: default/* or */*
  • Include get and list permissions alongside create
  • Test RBAC policies with argo auth can-i
  • Use groups from SSO provider for scalable permission management

DodaTech Tools

Doda Browser's RBAC editor provides policy validation and preview. DodaZIP archives RBAC configurations for Compliance audits. Durga Antivirus Pro detects overly permissive RBAC policies.

FAQ

How does Argo RBAC work with SSO?

Argo maps OIDC claims (groups, email) to RBAC roles defined in the policy CSV. The SSO token must include the claims used in RBAC group definitions. ||| Can I restrict workflow access to specific namespaces? Yes, use namespace patterns in the resource field like default/* or production/*. Users can only access workflows in allowed namespaces. ||| What is the difference between RBAC and workflow-level access? RBAC controls API-level access (submit, get, list). Workflow-level access is controlled by workflow-level securityContext and Kubernetes RBAC for pods.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro