Argo Workflows can create Workflows in many different ways (dag, steps, container, script). This makes it difficult to ensure users are not able to mount PVCs they shouldn't be able to mount. A better solution is to check create a Validating Admission Controller on pods created by Argo rather than on Workflow objects. My one hesitation is that I'm not sure if Argo Workflows will relay the reason why the pod is unschedulable back to the user.
Context
Argo Workflows can create Workflows in many different ways (dag, steps, container, script). This makes it difficult to ensure users are not able to mount PVCs they shouldn't be able to mount. A better solution is to check create a Validating Admission Controller on pods created by Argo rather than on Workflow objects. My one hesitation is that I'm not sure if Argo Workflows will relay the reason why the pod is unschedulable back to the user.