Skip to content

Commit

Permalink
Merge pull request #750 from NVIDIA/move-to-role
Browse files Browse the repository at this point in the history 
[RBAC] move namespace-scoped resource permissions to Roles
  • Loading branch information
@tariq1890
tariq1890 authored Jun 17, 2024
2 parents 5aec828 + a40bcab commit 7fb39d6
Show file tree
Hide file tree
Showing 4 changed files with 172 additions and 97 deletions.
93 changes: 72 additions & 21 deletions bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -601,6 +601,7 @@ spec:
- patch
- update
- watch
- deletecollection
- apiGroups:
- config.openshift.io
resources:
Expand Down Expand Up @@ -631,13 +632,31 @@ spec:
- use
resourceNames:
- hostmount-anyuid
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- create
- watch
- update
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- create
- get
Expand All @@ -653,14 +672,7 @@ spec:
- pods/eviction
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- nodes
- namespaces
- serviceaccounts
verbs:
- create
- delete
Expand All @@ -670,17 +682,33 @@ spec:
- update
- watch
- apiGroups:
- apps
- ""
resources:
- deployments
- daemonsets
- namespaces
verbs:
- create
- delete
- get
- list
- create
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- apiGroups:
- apps
Expand Down Expand Up @@ -714,29 +742,52 @@ spec:
- patch
- delete
- apiGroups:
- monitoring.coreos.com
- apiextensions.k8s.io
resources:
- servicemonitors
- prometheusrules
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
permissions:
- serviceAccountName: gpu-operator
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- image.openshift.io
- apps
resources:
- imagestreams
- daemonsets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- apiextensions.k8s.io
- ""
resources:
- customresourcedefinitions
- configmaps
- endpoints
- secrets
- serviceaccounts
verbs:
- create
- get
Expand Down
89 changes: 13 additions & 76 deletions deployments/gpu-operator/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,23 @@ rules:
- apiGroups:
- config.openshift.io
resources:
- clusterversions
- proxies
verbs:
- get
- list
- watch
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
- clusterroles
- clusterrolebindings
verbs:
Expand All @@ -30,12 +39,10 @@ rules:
- apiGroups:
- ""
resources:
- events
- pods
- pods/eviction
- services
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- get
Expand Down Expand Up @@ -68,16 +75,11 @@ rules:
- apiGroups:
- apps
resources:
- deployments
- daemonsets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- apps
resources:
Expand All @@ -86,18 +88,6 @@ rules:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- create
- watch
- update
- delete
- apiGroups:
- nvidia.com
resources:
Expand Down Expand Up @@ -125,27 +115,6 @@ rules:
- list
- watch
- create
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- use
- apiGroups:
- config.openshift.io
resources:
- clusterversions
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand All @@ -169,38 +138,6 @@ rules:
- update
- watch
- delete
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- pods/eviction
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
72 changes: 72 additions & 0 deletions deployments/gpu-operator/templates/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gpu-operator
labels:
{{- include "gpu-operator.labels" . | nindent 4 }}
app.kubernetes.io/component: "gpu-operator"
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- create
- watch
- update
- delete
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- use
15 changes: 15 additions & 0 deletions deployments/gpu-operator/templates/rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gpu-operator
labels:
{{- include "gpu-operator.labels" . | nindent 4 }}
app.kubernetes.io/component: "gpu-operator"
subjects:
- kind: ServiceAccount
name: gpu-operator
namespace: {{ $.Release.Namespace }}
roleRef:
kind: Role
name: gpu-operator
apiGroup: rbac.authorization.k8s.io

0 comments on commit 7fb39d6

Please sign in to comment.