fix: check ClusterWorkflowTemplate RBAC cluster wide instead of namespaced. Fixes #15071

[eduardodbr]

Fixes #15071

Motivation

If the service account (SA) running the controller is granted a role that provides access to ClusterWorkflowTemplates within the controller’s namespace, the controller incorrectly assumes the SA has access to ClusterWorkflowTemplates cluster-wide. While this scenario is uncommon, it is possible. This PR addresses the issue by verifying access at the cluster scope rather than relying on namespace-scoped permissions.

Modifications

Verification

Documentation

Summary by CodeRabbit

• Bug Fixes
  • Simplified access control validation for cluster workflow templates to use global permission checks instead of namespace-scoped checks.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes remove the namespace parameter from the HasAccessToClusterWorkflowTemplates function across all call sites. This corrects an RBAC verification logic to properly handle ClusterWorkflowTemplate as a cluster-wide resource without namespace-scoped access checks.

Changes

Cohort / File(s)	Summary
Function signature update util/rbac/rbac.go	Removed namespace string parameter from HasAccessToClusterWorkflowTemplates(ctx, kubeclientset). Simplified internal auth checks to pass empty string for all namespace arguments in authutil.CanIArgo calls.
Call site updates pkg/apiclient/argo-kube-client.go, server/apiserver/argoserver.go, workflow/controller/controller.go	Removed namespace argument from all HasAccessToClusterWorkflowTemplates invocations to match updated function signature.
Test updates util/rbac/rbac_test.go	Updated all three test cases to call HasAccessToClusterWorkflowTemplates(ctx, kubeclientset) without the third parameter.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Areas requiring attention:
  • Verify all call sites of HasAccessToClusterWorkflowTemplates have been updated (search for any remaining namespace argument usages)
  • Confirm the function implementation correctly omits namespace in permission checks for cluster-wide resources
  • Validate test coverage reflects the simplified signature and cluster-wide permission model

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly describes the main change: removing namespace scope from ClusterWorkflowTemplate RBAC checks and fixing issue #15071.
Linked Issues check	✅ Passed	The code changes successfully address all key requirements from issue #15071: removing namespace argument from HasAccessToClusterWorkflowTemplates calls across all call sites to enable cluster-wide RBAC checks instead of namespaced checks.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the RBAC check for ClusterWorkflowTemplate cluster-wide access; no unrelated modifications detected.
Description check	✅ Passed	PR description includes issue reference and motivation but lacks explicit modifications, verification, and documentation sections.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[eduardodbr]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[eduardodbr]

/retest

[Joibel]

Looks good, thanks

[argo-cd-cherry-pick-bot]

❌ Cherry-pick failed for 3.7. Please check the workflow logs for details.