feat: add aggregated clusterrole

j4ckstraw · j4ckstraw · commit 857255b838f9 · 2025-03-12T19:11:05.000+08:00
kubernetes design user-facing roles: view/edit/admin. add aggregated clusterrole to support multi-tenant scenario see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings Signed-off-by: j4ckstraw <j4ckstraw@foxmail.com>
diff --git a/helm-chart/kuberay-operator/Chart.yaml b/helm-chart/kuberay-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 description: A Helm chart for Kubernetes
 name: kuberay-operator
-version: 1.1.0
+version: 1.1.1
 icon: https://github.com/ray-project/ray/raw/master/doc/source/images/ray_header_logo.png
 type: application
diff --git a/helm-chart/kuberay-operator/templates/ray_raycluster_role.yaml b/helm-chart/kuberay-operator/templates/ray_raycluster_role.yaml
@@ -0,0 +1,38 @@
+# permissions for end users to view rayjobs.
+{{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: raycluster-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - ray.io
+  resources:
+  - rayjobs
+  - rayjobs/status
+  verbs:
+  - get
+  - list
+  - watch
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: raycluster-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - ray.io
+  resources:
+  - rayjobs
+  verbs:
+  - create
+  - update
+  - delete
+  - patch
+  - deletecollection
+{{- end }}
diff --git a/helm-chart/kuberay-operator/templates/ray_rayjob_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayjob_role.yaml
@@ -1,28 +1,38 @@
 # permissions for end users to edit rayjobs.
 {{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}
-
+---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
-  name: rayjob-editor-role
+  name: rayjob-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
   - ray.io
   resources:
   - rayjobs
+  - rayjobs/status
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rayjob-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
 - apiGroups:
   - ray.io
   resources:
-  - rayjobs/status
+  - rayjobs
   verbs:
-  - get
+  - create
+  - delete
+  - patch
+  - update
+  - deletecollection
 {{- end }}
diff --git a/helm-chart/kuberay-operator/templates/ray_rayjob_viewer_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayjob_viewer_role.yaml
diff --git a/helm-chart/kuberay-operator/templates/ray_rayservice_editor_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayservice_editor_role.yaml
diff --git a/helm-chart/kuberay-operator/templates/ray_rayservice_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayservice_role.yaml
@@ -1,22 +1,38 @@
 # permissions for end users to view rayservices.
 {{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: rayservice-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
   - ray.io
   resources:
   - rayservices
+  - rayservices/status
   verbs:
   - get
   - list
   - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rayservice-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
 - apiGroups:
   - ray.io
   resources:
-  - rayservices/status
+  - rayservices
   verbs:
-  - get
-{{- end }}
+  - create
+  - delete
+  - patch
+  - update
+  - deletecollection
+{{- end }}
