Lack of Examples for SSO RBAC

[y-elip]

Hi,

While there is detailed documentation available on RBAC SSO, it’s still confusing due to the lack of examples related to specific roles. The documentation often uses vague phrases like "Create an appropriate role" without providing a concrete list of Kubernetes API verbs needed, for example, for roles like admin user and read-only.

This makes it frustrating to troubleshoot issues like PermissionDenied desc = unknown (get pods) or grpc.code=PermissionDenied grpc.method=WorkflowLogs that arise when an incorrect role binding is used. For instance, when argo-workflows-admin SSO was bound to the argo-workflows-admin cluster role, it lacked the permissions to read Argo Workflows pod logs with error above.

Please consider adding some examples of how roles for admin and read-only cases should be configured.

[agilgur5]

There's an example of read-only from #11340. That was one of my first contributions to Argo and you might notice I had some similar issues (particularly for users without aggregated roles), which is why I contributed it.
Can see it in the docs site here: https://argo-workflows.readthedocs.io/en/release-3.5/security/#ui-access

That role is more generic than SSO RBAC, but we could add a link from that page to that example