Skip to content

Commit

Permalink
[Feature] Watch CR in multiple namespaces with namespaced RBAC resour…
Browse files Browse the repository at this point in the history
…ces (ray-project#1106)

Watch CR in multiple namespaces with namespaced RBAC resources
  • Loading branch information
kevin85421 authored Jun 5, 2023
1 parent 480e842 commit 8fe3891
Show file tree
Hide file tree
Showing 15 changed files with 321 additions and 58 deletions.
4 changes: 2 additions & 2 deletions helm-chart/kuberay-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@ spec:
{{- $argList = append $argList "--enable-batch-scheduler" -}}
{{- end -}}
{{- $watchNamespace := "" -}}
{{- if .Values.singleNamespaceInstall -}}
{{- if and .Values.singleNamespaceInstall (not .Values.watchNamespace) -}}
{{- $watchNamespace = .Release.Namespace -}}
{{- else if .Values.watchNamespace -}}
{{- $watchNamespace = .Values.watchNamespace -}}
{{- $watchNamespace = join "," .Values.watchNamespace -}}
{{- end -}}
{{- if $watchNamespace -}}
{{- $argList = append $argList "--watch-namespace" -}}
Expand Down
12 changes: 10 additions & 2 deletions helm-chart/kuberay-operator/templates/leader_election_role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "kuberay-operator.labels" . | indent 4 }}
labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
name: {{ include "kuberay-operator.fullname" . }}-leader-election
rules:
- apiGroups:
Expand Down Expand Up @@ -32,4 +31,13 @@ rules:
- events
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "kuberay-operator.labels" . | indent 4 }}
labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
name: {{ include "kuberay-operator.fullname" . }}-leader-election
subjects:
- kind: ServiceAccount
Expand Down
240 changes: 240 additions & 0 deletions helm-chart/kuberay-operator/templates/multiple_namespaces_role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,240 @@
# Install Role for namespaces listed in watchNamespace.
# This should be consistent with `role.yaml`, except for the `kind` field.
{{- if and .Values.rbacEnable .Values.singleNamespaceInstall }}
{{- $watchNamespaces := default (list .Release.Namespace) .Values.watchNamespace }}
{{- range $namespace := $watchNamespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{ include "kuberay-operator.labels" $ | nindent 4 }}
name: {{ include "kuberay-operator.fullname" $ }}
namespace: {{ $namespace }}
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ray.io
resources:
- rayclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ray.io
resources:
- rayclusters/finalizers
verbs:
- update
- apiGroups:
- ray.io
resources:
- rayclusters/status
verbs:
- get
- patch
- update
- apiGroups:
- ray.io
resources:
- rayjobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ray.io
resources:
- rayjobs/finalizers
verbs:
- update
- apiGroups:
- ray.io
resources:
- rayjobs/status
verbs:
- get
- patch
- update
- apiGroups:
- ray.io
resources:
- rayservices
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ray.io
resources:
- rayservices/finalizers
verbs:
- update
- apiGroups:
- ray.io
resources:
- rayservices/status
verbs:
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- create
- delete
- get
- list
- update
- watch
{{- if $.Values.batchScheduler.enabled }}
- apiGroups:
- scheduling.volcano.sh
resources:
- podgroups
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
{{- end }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Install RoleBinding for namespaces listed in watchNamespace.
# This should be consistent with `rolebinding.yaml`, except for the `kind` field.
{{- if and .Values.rbacEnable .Values.singleNamespaceInstall }}
{{- $watchNamespaces := default (list .Release.Namespace) .Values.watchNamespace }}
{{- range $namespace := $watchNamespaces }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{ include "kuberay-operator.labels" $ | nindent 4 }}
name: {{ include "kuberay-operator.fullname" $ }}
namespace: {{ $namespace }}
subjects:
- kind: ServiceAccount
name: {{ $.Values.serviceAccount.name }}
namespace: {{ $.Release.Namespace }}
roleRef:
kind: Role
name: {{ include "kuberay-operator.fullname" $ }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,15 +1,10 @@
# permissions for end users to edit rayjobs.
{{- if .Values.rbacEnable }}
{{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}

{{- if .Values.singleNamespaceInstall }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "kuberay-operator.labels" . | indent 4 }}
labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
name: rayjob-editor-role
rules:
- apiGroups:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,10 @@
# permissions for end users to view rayjobs.
{{- if .Values.rbacEnable }}
{{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}

{{- if .Values.singleNamespaceInstall }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "kuberay-operator.labels" . | indent 4 }}
labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
name: rayjob-viewer-role
rules:
- apiGroups:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,7 @@
# permissions for end users to edit rayservices.
{{- if .Values.rbacEnable }}
{{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}
apiVersion: rbac.authorization.k8s.io/v1

{{- if .Values.singleNamespaceInstall }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: rayservice-editor-role
rules:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,7 @@
# permissions for end users to view rayservices.
{{- if .Values.rbacEnable }}
{{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}
apiVersion: rbac.authorization.k8s.io/v1

{{- if .Values.singleNamespaceInstall }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: rayservice-viewer-role
rules:
Expand Down
6 changes: 1 addition & 5 deletions helm-chart/kuberay-operator/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
{{- if .Values.rbacEnable }}
{{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}

{{- if .Values.singleNamespaceInstall }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
Expand Down
Loading

0 comments on commit 8fe3891

Please sign in to comment.