feat: add aggregated clusterrole #3193
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| apiVersion: v2 | ||
| description: A Helm chart for Kubernetes | ||
| name: kuberay-operator | ||
| version: 1.1.1 | ||
| icon: https://github.com/ray-project/ray/raw/master/doc/source/images/ray_header_logo.png | ||
| type: application | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # permissions for end users to view rayjobs. | ||
| {{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }} | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: raycluster-editor-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayclusters | ||
| verbs: | ||
| - create | ||
| - update | ||
| - delete | ||
| - patch | ||
| - deletecollection | ||
| {{- end }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # permissions for end users to view rayjobs. | ||
| {{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }} | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: raycluster-viewer-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayclusters | ||
| - rayclusters/status | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch | ||
| {{- end }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,24 +1,19 @@ | ||
| # permissions for end users to edit rayjobs. | ||
| {{- if and .Values.rbacEnable (not .Values.singleNamespaceInstall) }} | ||
MortalHappiness marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: rayjob-viewer-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayjobs | ||
| - rayjobs/status | ||
| verbs: | ||
|
There was a problem hiding this comment. Why grant additional There was a problem hiding this comment. I just refer to kubernetes default clusterrole system:aggregate-to-view https://github.com/kubernetes/kubernetes/blob/b4c6895d0b0a913e3461bdc78358aa9514604b8f/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L111, it grant */status to view clusterrole. If rayxxx/status is not appropriate to be here, I can remove it. There was a problem hiding this comment. cc @kevin85421 Do you think it is okay to grant those additional permissions to status? Personally, I think it is fine to grant them. There was a problem hiding this comment. It's fine with me. I plan to revisit all RBAC permissions soon and can decide whether to remove it at that time. We can leave it as is for this PR. |
||
| - get | ||
| - list | ||
| - watch | ||
| {{- end }} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| --- | ||
| # Source: kuberay-operator/templates/ray_raycluster_editor_role.yaml | ||
| # permissions for end users to view rayjobs. | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: raycluster-editor-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayclusters | ||
| verbs: | ||
| - create | ||
| - update | ||
| - delete | ||
| - patch | ||
| - deletecollection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| --- | ||
| # Source: kuberay-operator/templates/ray_raycluster_viewer_role.yaml | ||
| # permissions for end users to view rayjobs. | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: raycluster-viewer-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayclusters | ||
| - rayclusters/status | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,19 @@ | ||
| --- | ||
| # Source: kuberay-operator/templates/ray_rayjob_viewer_role.yaml | ||
| # permissions for end users to edit rayjobs. | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: rayjob-viewer-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayjobs | ||
| - rayjobs/status | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,19 @@ | ||
| --- | ||
| # Source: kuberay-operator/templates/ray_rayservice_viewer_role.yaml | ||
| # permissions for end users to view rayservices. | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: rayservice-viewer-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
| rules: | ||
| - apiGroups: | ||
| - ray.io | ||
| resources: | ||
| - rayservices | ||
| - rayservices/status | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this line needs to be changed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chart has changed, if version not update, users cannot distinguish between new and old versions.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @kevin85421 Do you consider this only a patch version change, or do you think it is better to update the version to
1.2.0or2.0.0?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I wasn't aware that it's 1.1.0. We should change it to nightly instead. Typically, I only update
versionin the release branch. I don't know why I updated it before.