---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-runner
  namespace: cicd-system
automountServiceAccountToken: true
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-runner
  namespace: cicd-system
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  - persistentvolumeclaims
  - pods
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - list
- apiGroups:
  - argoproj.io
  resources:
  - eventbus
  - eventsources
  - sensors
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflowtaskresults
  verbs:
  - get
  - list
  - create
  - update
  - patch
  - watch
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-runner
  namespace: cicd-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-runner
subjects:
- kind: ServiceAccount
  name: argo-runner
  namespace: cicd-system
...