From 36c0eab30f308ed728e25996b86877a8fd4fb6a6 Mon Sep 17 00:00:00 2001 From: Ilias Katsakioris Date: Thu, 5 Nov 2020 20:10:53 +0200 Subject: [PATCH] [Manifests] Extend manifests for SubjectAccessReview * API Server: Allow creating SubjectAccessReviews * Add cluster-scoped view/edit roles --- .../templates/pipeline.yaml | 6 + .../cluster-scoped/kustomization.yaml | 1 + .../cluster-scoped/view-edit-roles.yaml | 108 ++++++++++++++++++ .../pipeline/ml-pipeline-apiserver-role.yaml | 8 +- 4 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 manifests/kustomize/base/pipeline/cluster-scoped/view-edit-roles.yaml diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml index c2f426692e05..f4c507c2eb23 100644 --- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml +++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml @@ -273,6 +273,12 @@ rules: - update - patch - delete + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/manifests/kustomize/base/pipeline/cluster-scoped/kustomization.yaml b/manifests/kustomize/base/pipeline/cluster-scoped/kustomization.yaml index 9a92c2ced66d..8d5769d8279b 100644 --- a/manifests/kustomize/base/pipeline/cluster-scoped/kustomization.yaml +++ b/manifests/kustomize/base/pipeline/cluster-scoped/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - scheduled-workflow-crd.yaml - viewer-crd.yaml +- view-edit-roles.yaml diff --git a/manifests/kustomize/base/pipeline/cluster-scoped/view-edit-roles.yaml b/manifests/kustomize/base/pipeline/cluster-scoped/view-edit-roles.yaml new file mode 100644 index 000000000000..e4b047c42d3c --- /dev/null +++ b/manifests/kustomize/base/pipeline/cluster-scoped/view-edit-roles.yaml @@ -0,0 +1,108 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-pipeline-edit +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-pipeline-view +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-view: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" + name: aggregate-to-pipeline-edit +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + verbs: + - create + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - experiments + verbs: + - archive + - create + - delete + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - archive + - create + - delete + - retry + - terminate + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - jobs + verbs: + - create + - delete + - disable + - enable + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-view: "true" + name: aggregate-to-pipeline-view +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + - experiments + - runs + - jobs + verbs: + - get + - list +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - visualizations + verbs: + - create diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-role.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-role.yaml index fe8146b3d847..95bda817ee58 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-role.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-role.yaml @@ -35,4 +35,10 @@ rules: - list - update - patch - - delete \ No newline at end of file + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create