You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/rbac-for-users/readme.md
+30Lines changed: 30 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,6 +68,7 @@ The kubeconfig file should be placed in a location where HPE employees have read
68
68
The next step is to create ClusterRole and ClusterRoleBinding resources. The ClusterRole provided allows viewing all cluster and namespace scoped resources, but disallows creating, deleting, or modifying any resources.
69
69
70
70
ClusterRole
71
+
71
72
```yaml
72
73
apiVersion: rbac.authorization.k8s.io/v1
73
74
kind: ClusterRole
@@ -80,6 +81,7 @@ rules:
80
81
```
81
82
82
83
ClusterRoleBinding
84
+
83
85
```yaml
84
86
apiVersion: rbac.authorization.k8s.io/v1
85
87
kind: ClusterRoleBinding
@@ -138,6 +140,7 @@ If the "flux" user requires only the normal WLM permissions, then create and app
138
140
The `dws-workload-manager role is defined in [workload_manager_role.yaml](https://github.com/DataWorkflowServices/dws/blob/master/config/rbac/workload_manager_role.yaml).
139
141
140
142
ClusterRoleBinding for WLM permissions only:
143
+
141
144
```yaml
142
145
apiVersion: rbac.authorization.k8s.io/v1
143
146
kind: ClusterRoleBinding
@@ -158,6 +161,7 @@ If the "flux" user requires the normal WLM permissions as well as some of the NN
158
161
The `nnf-workload-manager` role is defined in [workload_manager_nnf_role.yaml](https://github.com/NearNodeFlash/nnf-sos/blob/master/config/rbac/workload_manager_nnf_role.yaml).
159
162
160
163
ClusterRoleBinding for WLM and NNF permissions:
164
+
161
165
```yaml
162
166
apiVersion: rbac.authorization.k8s.io/v1
163
167
kind: ClusterRoleBinding
@@ -173,4 +177,30 @@ roleRef:
173
177
apiGroup: rbac.authorization.k8s.io
174
178
```
175
179
180
+
If the "flux" user also requires "get" access to pods and their logs in the "default" namespace, then there is also a namespaced Role resource to provide that access. Create a RoleBinding to associate the "flux" user with the "nnf-workload-manager-coregrp" Role. The "flux" user will be bound to access the NNF resources, across all namespaces, via the ClusterRoleBinding above and it will be bound to access the pod resources, in only the "default" namespace, via this RoleBinding.
181
+
182
+
```console
183
+
kubectl get role -n default nnf-workload-manager-coregrp
184
+
```
185
+
186
+
The `nnf-workload-manager-coregrp` role is defined in [workload_manager_nnf_role_ns.yaml](https://github.com/NearNodeFlash/nnf-sos/blob/master/config/rbac-ns/workload_manager_nnf_role_ns.yaml).
187
+
188
+
RoleBinding for pod permissions:
189
+
190
+
```yaml
191
+
kind: RoleBinding
192
+
apiVersion: rbac.authorization.k8s.io/v1
193
+
metadata:
194
+
name: flux
195
+
namespace: default
196
+
subjects:
197
+
- kind: User
198
+
name: flux
199
+
apiGroup: rbac.authorization.k8s.io
200
+
roleRef:
201
+
kind: Role
202
+
name: nnf-workload-manager-coregrp
203
+
apiGroup: ""
204
+
```
205
+
176
206
The WLM should then use the kubeconfig file associated with this "flux" user to access the DataWorkflowServices API and the Rabbit system.
0 commit comments