diff --git a/pipeline/api-service/base/role.yaml b/pipeline/api-service/base/role.yaml index a925cc6c2e..18fc4b0d4e 100644 --- a/pipeline/api-service/base/role.yaml +++ b/pipeline/api-service/base/role.yaml @@ -34,4 +34,10 @@ rules: - pods verbs: - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/pipeline/installs/multi-user/api-service/cluster-role.yaml b/pipeline/installs/multi-user/api-service/cluster-role.yaml index a88f27ff9e..f5565fe5c3 100644 --- a/pipeline/installs/multi-user/api-service/cluster-role.yaml +++ b/pipeline/installs/multi-user/api-service/cluster-role.yaml @@ -32,3 +32,9 @@ rules: - pods verbs: - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/pipeline/installs/multi-user/kustomization.yaml b/pipeline/installs/multi-user/kustomization.yaml index dc5fc4607b..8fd7ef5a3a 100644 --- a/pipeline/installs/multi-user/kustomization.yaml +++ b/pipeline/installs/multi-user/kustomization.yaml @@ -15,6 +15,7 @@ resources: - cache - metadata-writer - istio-authorization-config.yaml +- view-edit-roles.yaml patchesStrategicMerge: - api-service/deployment-patch.yaml - pipelines-ui/deployment-patch.yaml diff --git a/pipeline/installs/multi-user/view-edit-roles.yaml b/pipeline/installs/multi-user/view-edit-roles.yaml new file mode 100644 index 0000000000..f7370361a6 --- /dev/null +++ b/pipeline/installs/multi-user/view-edit-roles.yaml @@ -0,0 +1,114 @@ +# NOTE: IMPORTANT +# We need to separate out actual rules from aggregation rules due to +# https://github.com/kubernetes/kubernetes/issues/65171 +# TL;DR: We can't have both aggregation and rules in a [Cluster]Role. When that +# is the case, the rules get ignored. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-pipeline-edit +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-pipeline-view +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-view: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" + name: aggregate-to-pipeline-edit +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + verbs: + - create + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - experiments + verbs: + - archive + - create + - delete + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - archive + - create + - delete + - retry + - terminate + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - jobs + verbs: + - create + - delete + - disable + - enable + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-view: "true" + name: aggregate-to-pipeline-view +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + - experiments + - runs + - jobs + verbs: + - get + - list +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - visualizations + verbs: + - create diff --git a/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml b/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml index fe8146b3d8..95bda817ee 100644 --- a/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml +++ b/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml @@ -35,4 +35,10 @@ rules: - list - update - patch - - delete \ No newline at end of file + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/pipeline/upstream/base/pipeline/multi-user/kustomization.yaml b/pipeline/upstream/base/pipeline/multi-user/kustomization.yaml new file mode 100644 index 0000000000..07d176c3d9 --- /dev/null +++ b/pipeline/upstream/base/pipeline/multi-user/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- view-edit-roles.yaml diff --git a/pipeline/upstream/base/pipeline/multi-user/view-edit-roles.yaml b/pipeline/upstream/base/pipeline/multi-user/view-edit-roles.yaml new file mode 100644 index 0000000000..f7370361a6 --- /dev/null +++ b/pipeline/upstream/base/pipeline/multi-user/view-edit-roles.yaml @@ -0,0 +1,114 @@ +# NOTE: IMPORTANT +# We need to separate out actual rules from aggregation rules due to +# https://github.com/kubernetes/kubernetes/issues/65171 +# TL;DR: We can't have both aggregation and rules in a [Cluster]Role. When that +# is the case, the rules get ignored. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-pipeline-edit +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-pipeline-view +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-view: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" + name: aggregate-to-pipeline-edit +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + verbs: + - create + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - experiments + verbs: + - archive + - create + - delete + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - archive + - create + - delete + - retry + - terminate + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - jobs + verbs: + - create + - delete + - disable + - enable + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-view: "true" + name: aggregate-to-pipeline-view +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + - experiments + - runs + - jobs + verbs: + - get + - list +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - visualizations + verbs: + - create