Skip to content

Commit

Permalink
[RBAC] move namespace-scoped resource permissions to Roles
Browse files Browse the repository at this point in the history 
Signed-off-by: Tariq Ibrahim <[email protected]>
  • Loading branch information
@tariq1890
tariq1890 committed Jun 12, 2024
1 parent 3487c5e commit 21a0b1b
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 64 deletions.
72 changes: 8 additions & 64 deletions deployments/gpu-operator/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,19 @@ rules:
- apiGroups:
- config.openshift.io
resources:
- clusterversions
- proxies
verbs:
- get
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
- clusterroles
- clusterrolebindings
verbs:
Expand All @@ -30,12 +35,7 @@ rules:
- apiGroups:
- ""
resources:
- pods
- services
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- get
Expand Down Expand Up @@ -68,16 +68,11 @@ rules:
- apiGroups:
- apps
resources:
- deployments
- daemonsets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- apps
resources:
Expand All @@ -86,18 +81,6 @@ rules:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- create
- watch
- update
- delete
- apiGroups:
- nvidia.com
resources:
Expand Down Expand Up @@ -125,27 +108,6 @@ rules:
- list
- watch
- create
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- use
- apiGroups:
- config.openshift.io
resources:
- clusterversions
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand All @@ -169,19 +131,12 @@ rules:
- update
- watch
- delete
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- pods/eviction
- services
verbs:
- get
- list
Expand All @@ -190,17 +145,6 @@ rules:
- delete
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
60 changes: 60 additions & 0 deletions deployments/gpu-operator/templates/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gpu-operator
labels:
{{- include "gpu-operator.labels" . | nindent 4 }}
app.kubernetes.io/component: "gpu-operator"
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- create
- watch
- update
- delete
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- use
15 changes: 15 additions & 0 deletions deployments/gpu-operator/templates/rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gpu-operator
labels:
{{- include "gpu-operator.labels" . | nindent 4 }}
app.kubernetes.io/component: "gpu-operator"
subjects:
- kind: ServiceAccount
name: gpu-operator
namespace: {{ $.Release.Namespace }}
roleRef:
kind: Role
name: gpu-operator
apiGroup: rbac.authorization.k8s.io

0 comments on commit 21a0b1b

Please sign in to comment.