From 65af89720b8886950e3cab7c7b9fb56e4e74aed4 Mon Sep 17 00:00:00 2001 From: Ugo Giordano Date: Wed, 18 Dec 2024 10:01:17 +0100 Subject: [PATCH 1/4] Removed Dashboard ServiceAccount from default RoleBinding granting anyuid SCC. --- controllers/components/dashboard/dashboard_controller.go | 2 -- controllers/components/dashboard/dashboard_support.go | 7 ------- 2 files changed, 9 deletions(-) diff --git a/controllers/components/dashboard/dashboard_controller.go b/controllers/components/dashboard/dashboard_controller.go index ab00e315642..f4fc644a488 100644 --- a/controllers/components/dashboard/dashboard_controller.go +++ b/controllers/components/dashboard/dashboard_controller.go @@ -33,7 +33,6 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/deploy" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/gc" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/render/kustomize" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/security" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/updatestatus" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/handlers" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/predicates/component" @@ -91,7 +90,6 @@ func (s *componentHandler) NewComponentReconciler(ctx context.Context, mgr ctrl. WithAction(initialize). WithAction(devFlags). WithAction(configureDependencies). - WithAction(security.NewUpdatePodSecurityRoleBindingAction(serviceAccounts)). WithAction(kustomize.NewAction( kustomize.WithCache(), // Those are the default labels added by the legacy deploy method diff --git a/controllers/components/dashboard/dashboard_support.go b/controllers/components/dashboard/dashboard_support.go index 280d93a5e6c..507ad0d6652 100644 --- a/controllers/components/dashboard/dashboard_support.go +++ b/controllers/components/dashboard/dashboard_support.go @@ -53,13 +53,6 @@ var ( cluster.Unknown: "/odh", } - serviceAccounts = map[cluster.Platform][]string{ - cluster.SelfManagedRhoai: {"rhods-dashboard"}, - cluster.ManagedRhoai: {"rhods-dashboard"}, - cluster.OpenDataHub: {"odh-dashboard"}, - cluster.Unknown: {"odh-dashboard"}, - } - imagesMap = map[string]string{ "odh-dashboard-image": "RELATED_IMAGE_ODH_DASHBOARD_IMAGE", } From 08d2f5f80c6e2380c2903c3342d3e3bfe6738e1d Mon Sep 17 00:00:00 2001 From: Ugo Giordano Date: Wed, 18 Dec 2024 10:40:46 +0100 Subject: [PATCH 2/4] Removed ModelController ServiceAccount from default RoleBinding granting anyuid SCC. --- .../modelcontroller/modelcontroller_controller.go | 2 -- .../components/modelcontroller/modelcontroller_support.go | 8 -------- 2 files changed, 10 deletions(-) diff --git a/controllers/components/modelcontroller/modelcontroller_controller.go b/controllers/components/modelcontroller/modelcontroller_controller.go index a31254708b3..6417c5e65ee 100644 --- a/controllers/components/modelcontroller/modelcontroller_controller.go +++ b/controllers/components/modelcontroller/modelcontroller_controller.go @@ -33,7 +33,6 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/deploy" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/gc" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/render/kustomize" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/security" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/updatestatus" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/handlers" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/predicates/component" @@ -70,7 +69,6 @@ func (s *componentHandler) NewComponentReconciler(ctx context.Context, mgr ctrl. // Add ModelController specific actions WithAction(initialize). WithAction(devFlags). // devFlags triggerd by changes in DSC kserve and ModelMeshServing, also update .status.devflagurl - WithAction(security.NewUpdatePodSecurityRoleBindingAction(serviceAccounts)). WithAction(kustomize.NewAction( kustomize.WithCache(), kustomize.WithLabel(labels.ODH.Component(LegacyComponentName), labels.True), diff --git a/controllers/components/modelcontroller/modelcontroller_support.go b/controllers/components/modelcontroller/modelcontroller_support.go index d7416780909..7d6a0f26159 100644 --- a/controllers/components/modelcontroller/modelcontroller_support.go +++ b/controllers/components/modelcontroller/modelcontroller_support.go @@ -2,7 +2,6 @@ package modelcontroller import ( componentApi "github.com/opendatahub-io/opendatahub-operator/v2/apis/components/v1alpha1" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/types" odhdeploy "github.com/opendatahub-io/opendatahub-operator/v2/pkg/deploy" ) @@ -20,13 +19,6 @@ var ( imageParamMap = map[string]string{ "odh-model-controller": "RELATED_IMAGE_ODH_MODEL_CONTROLLER_IMAGE", } - - serviceAccounts = map[cluster.Platform][]string{ - cluster.SelfManagedRhoai: {LegacyComponentName}, - cluster.ManagedRhoai: {LegacyComponentName}, - cluster.OpenDataHub: {LegacyComponentName}, - cluster.Unknown: {LegacyComponentName}, - } ) func manifestsPath() types.ManifestInfo { From 4d1f0d57c41b80c8c45ce0954fe730a2d80dadee Mon Sep 17 00:00:00 2001 From: Ugo Giordano Date: Wed, 18 Dec 2024 11:42:32 +0100 Subject: [PATCH 3/4] Removed ModelMesh ServiceAccounts from default RoleBinding granting anyuid SCC. --- .../modelmeshserving/modelmeshserving_controller.go | 2 -- .../modelmeshserving/modelmeshserving_support.go | 8 -------- 2 files changed, 10 deletions(-) diff --git a/controllers/components/modelmeshserving/modelmeshserving_controller.go b/controllers/components/modelmeshserving/modelmeshserving_controller.go index 662ae1206fb..d3c4a674558 100644 --- a/controllers/components/modelmeshserving/modelmeshserving_controller.go +++ b/controllers/components/modelmeshserving/modelmeshserving_controller.go @@ -32,7 +32,6 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/deploy" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/gc" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/render/kustomize" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/security" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/updatestatus" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/handlers" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/predicates/clusterrole" @@ -69,7 +68,6 @@ func (s *componentHandler) NewComponentReconciler(ctx context.Context, mgr ctrl. // Add ModelMeshServing specific actions WithAction(initialize). WithAction(devFlags). - WithAction(security.NewUpdatePodSecurityRoleBindingAction(serviceAccounts)). WithAction(kustomize.NewAction( kustomize.WithCache(), kustomize.WithLabel(labels.ODH.Component(LegacyComponentName), labels.True), diff --git a/controllers/components/modelmeshserving/modelmeshserving_support.go b/controllers/components/modelmeshserving/modelmeshserving_support.go index 8095faf0d47..38e4e7d6437 100644 --- a/controllers/components/modelmeshserving/modelmeshserving_support.go +++ b/controllers/components/modelmeshserving/modelmeshserving_support.go @@ -2,7 +2,6 @@ package modelmeshserving import ( componentApi "github.com/opendatahub-io/opendatahub-operator/v2/apis/components/v1alpha1" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" odhtypes "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/types" odhdeploy "github.com/opendatahub-io/opendatahub-operator/v2/pkg/deploy" ) @@ -23,13 +22,6 @@ var ( "odh-modelmesh": "RELATED_IMAGE_ODH_MODELMESH_IMAGE", "odh-modelmesh-controller": "RELATED_IMAGE_ODH_MODELMESH_CONTROLLER_IMAGE", } - - serviceAccounts = map[cluster.Platform][]string{ - cluster.SelfManagedRhoai: {"modelmesh", "modelmesh-controller"}, - cluster.ManagedRhoai: {"modelmesh", "modelmesh-controller"}, - cluster.OpenDataHub: {"modelmesh", "modelmesh-controller"}, - cluster.Unknown: {"modelmesh", "modelmesh-controller"}, - } ) func manifestsPath() odhtypes.ManifestInfo { From 7af1f9093124f049a46b9ece180ee3d645d48ef9 Mon Sep 17 00:00:00 2001 From: Ugo Giordano Date: Wed, 18 Dec 2024 11:45:42 +0100 Subject: [PATCH 4/4] Removed Notebook ServiceAccount from default RoleBinding granting anyuid SCC. --- .../components/workbenches/workbenches_controller.go | 2 -- .../components/workbenches/workbenches_support.go | 10 ---------- 2 files changed, 12 deletions(-) diff --git a/controllers/components/workbenches/workbenches_controller.go b/controllers/components/workbenches/workbenches_controller.go index 6eb7a099cec..0a790c2ab81 100644 --- a/controllers/components/workbenches/workbenches_controller.go +++ b/controllers/components/workbenches/workbenches_controller.go @@ -30,7 +30,6 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/deploy" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/gc" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/render/kustomize" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/security" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/updatestatus" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/handlers" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/predicates/component" @@ -62,7 +61,6 @@ func (s *componentHandler) NewComponentReconciler(ctx context.Context, mgr ctrl. WithAction(initialize). WithAction(devFlags). WithAction(configureDependencies). - WithAction(security.NewUpdatePodSecurityRoleBindingAction(serviceAccounts)). WithAction(kustomize.NewAction( kustomize.WithCache(), kustomize.WithLabel(labels.ODH.Component(LegacyComponentName), labels.True), diff --git a/controllers/components/workbenches/workbenches_support.go b/controllers/components/workbenches/workbenches_support.go index 05650806330..1324a82a5fa 100644 --- a/controllers/components/workbenches/workbenches_support.go +++ b/controllers/components/workbenches/workbenches_support.go @@ -4,7 +4,6 @@ import ( "path" componentApi "github.com/opendatahub-io/opendatahub-operator/v2/apis/components/v1alpha1" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" odhtypes "github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/types" odhdeploy "github.com/opendatahub-io/opendatahub-operator/v2/pkg/deploy" ) @@ -21,8 +20,6 @@ const ( kfNotebookControllerPath = "kf-notebook-controller" kfNotebookControllerManifestSourcePath = "overlays/openshift" - nbcServiceAccountName = "notebook-controller-service-account" - // LegacyComponentName is the name of the component that is assigned to deployments // via Kustomize. Since a deployment selector is immutable, we can't upgrade existing // deployment to the new component name, so keep it around till we figure out a solution. @@ -33,13 +30,6 @@ var ( notebookControllerContextDir = path.Join(ComponentName, notebookControllerPath) kfNotebookControllerContextDir = path.Join(ComponentName, kfNotebookControllerPath) notebookContextDir = path.Join(ComponentName, notebooksPath) - - serviceAccounts = map[cluster.Platform][]string{ - cluster.SelfManagedRhoai: {nbcServiceAccountName}, - cluster.ManagedRhoai: {nbcServiceAccountName}, - cluster.OpenDataHub: {nbcServiceAccountName}, - cluster.Unknown: {nbcServiceAccountName}, - } ) // manifests for nbc in ODH and RHOAI + downstream use it for imageparams.