Include ClusterRoles for dealing with APIs when installing

Change-Id: I1134dc44e29cefe794f882c01e3eab951258ce0b
KunWuLuan · Apr 6, 2022 · daa37ed · daa37ed
1 parent 34eb233
commit daa37ed
Show file tree

Hide file tree

Showing 13 changed files with 99 additions and 12 deletions.
diff --git a/config/rbac/batch_admin_role.yaml b/config/rbac/batch_admin_role.yaml
@@ -0,0 +1,9 @@
+# permissions for end users to manage all kueue objects.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: batch-admin-role
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.kueue.x-k8s.io/batch-admin: "true"
diff --git a/config/rbac/batch_user_role.yaml b/config/rbac/batch_user_role.yaml
@@ -0,0 +1,9 @@
+# permissions for end users to run jobs.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: batch-user-role
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.kueue.x-k8s.io/batch-user: "true"
diff --git a/config/rbac/clusterqueue_editor_role.yaml b/config/rbac/clusterqueue_editor_role.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: clusterqueue-editor-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io

diff --git a/config/rbac/clusterqueue_viewer_role.yaml b/config/rbac/clusterqueue_viewer_role.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: clusterqueue-viewer-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io

diff --git a/config/rbac/job_editor_role.yaml b/config/rbac/job_editor_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to edit jobs.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: job-editor-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
+    rbac.kueue.x-k8s.io/batch-user: "true"
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs/status
+  verbs:
+  - get
diff --git a/config/rbac/job_viewer_role.yaml b/config/rbac/job_viewer_role.yaml
@@ -0,0 +1,23 @@
+# permissions for end users to view jobs.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: job-viewer-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
+    rbac.kueue.x-k8s.io/batch-user: "true"
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs/status
+  verbs:
+  - get
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -16,3 +16,16 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# ClusterRoles for Kueue APIs
+- batch_admin_role.yaml
+- batch_user_role.yaml
+- clusterqueue_editor_role.yaml
+- clusterqueue_viewer_role.yaml
+- job_editor_role.yaml
+- job_viewer_role.yaml
+- queue_editor_role.yaml
+- queue_viewer_role.yaml
+- queuedworkload_editor_role.yaml
+- queuedworkload_viewer_role.yaml
+- resourceflavor_editor_role.yaml
+- resourceflavor_viewer_role.yaml
diff --git a/config/rbac/queue_editor_role.yaml b/config/rbac/queue_editor_role.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: queue-editor-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io

diff --git a/config/rbac/queue_viewer_role.yaml b/config/rbac/queue_viewer_role.yaml
@@ -3,6 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: queue-viewer-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
+    rbac.kueue.x-k8s.io/batch-user: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io

diff --git a/config/rbac/queuedworkload_editor_role.yaml b/config/rbac/queuedworkload_editor_role.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: queuedworkload-editor-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io

diff --git a/config/rbac/queuedworkload_viewer_role.yaml b/config/rbac/queuedworkload_viewer_role.yaml
@@ -3,6 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: queuedworkload-viewer-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
+    rbac.kueue.x-k8s.io/batch-user: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io

diff --git a/config/rbac/resourceflavor_editor_role.yaml b/config/rbac/resourceflavor_editor_role.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: resourceflavor-editor-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io
@@ -16,9 +18,3 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - kueue.x-k8s.io
-  resources:
-  - resourceflavors/status
-  verbs:
-  - get
diff --git a/config/rbac/resourceflavor_viewer_role.yaml b/config/rbac/resourceflavor_viewer_role.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: resourceflavor-viewer-role
+  labels:
+    rbac.kueue.x-k8s.io/batch-admin: "true"
 rules:
 - apiGroups:
   - kueue.x-k8s.io
@@ -12,9 +14,3 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - kueue.x-k8s.io
-  resources:
-  - resourceflavors/status
-  verbs:
-  - get