diff --git a/config/manifests/bases/codeflare-operator.clusterserviceversion.yaml b/config/manifests/bases/codeflare-operator.clusterserviceversion.yaml index 5531e61a8..04a0b301d 100644 --- a/config/manifests/bases/codeflare-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/codeflare-operator.clusterserviceversion.yaml @@ -50,23 +50,7 @@ metadata: namespace: placeholder spec: apiservicedefinitions: {} - customresourcedefinitions: - owned: - - description: AppWrapper is the Schema for the AppWrapper API - displayName: AppWrapper - kind: AppWrappers - name: appwrappers.workload.codeflare.dev - version: v1beta1 - - description: SchedulingSpec is the Schema for the SchedulingSpec API - displayName: SchedulingSpec - kind: SchedulingSpecs - name: schedulingspecs.workload.codeflare.dev - version: v1beta1 - - description: QuotaSubtree is the Schema for the QuotaSubtree API - displayName: QuotaSubtree - kind: QuotaSubtrees - name: quotasubtrees.quota.codeflare.dev - version: v1 + customresourcedefinitions: {} description: CodeFlare allows you to scale complex pipelines anywhere displayName: CodeFlare Operator icon: diff --git a/config/rbac/admin_role.yaml b/config/rbac/admin_role.yaml deleted file mode 100644 index b4f4728ca..000000000 --- a/config/rbac/admin_role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: clusterrole-admin - labels: - rbac.authorization.kubernetes.io/aggregate-to-admin: "true" -rules: -- apiGroups: - - quota.codeflare.dev - resources: - - quotasubtrees - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/config/rbac/editor_role.yaml b/config/rbac/editor_role.yaml deleted file mode 100644 index aa341297d..000000000 --- a/config/rbac/editor_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: clusterrole-edit - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" -rules: -- apiGroups: - - workload.codeflare.dev - resources: - - schedulingspecs - - appwrappers - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/config/rbac/instascale_role.yaml b/config/rbac/instascale_role.yaml deleted file mode 100644 index dec6b720a..000000000 --- a/config/rbac/instascale_role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: instascale-role -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - get -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch -- apiGroups: - - machine.openshift.io - resources: - - machines - - machinesets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch diff --git a/config/rbac/instascale_role_binding.yaml b/config/rbac/instascale_role_binding.yaml deleted file mode 100644 index 00a7d43f7..000000000 --- a/config/rbac/instascale_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: instascale-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: instascale-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 12d4bb247..166fe7986 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -4,16 +4,8 @@ resources: # if your manager will use a service account that exists at # runtime. Be sure to update RoleBinding and ClusterRoleBinding # subjects if changing service account names. -- admin_role.yaml -- editor_role.yaml - service_account.yaml -- mcad_manager_role.yaml -- mcad_manager_role_binding.yaml - role.yaml - role_binding.yaml -- instascale_role.yaml -- instascale_role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -- mcad-controller-ray-clusterrolebinding.yaml -- mcad-controller-ray-clusterrole.yaml diff --git a/config/rbac/mcad-controller-ray-clusterrole.yaml b/config/rbac/mcad-controller-ray-clusterrole.yaml deleted file mode 100644 index 18e3d98f3..000000000 --- a/config/rbac/mcad-controller-ray-clusterrole.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: mcad-controller-ray-clusterrole -rules: -- apiGroups: - - ray.io - resources: - - rayclusters - - rayclusters/finalizers - - rayclusters/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - route.openshift.io - resources: - - routes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch diff --git a/config/rbac/mcad-controller-ray-clusterrolebinding.yaml b/config/rbac/mcad-controller-ray-clusterrolebinding.yaml deleted file mode 100644 index da9e8c023..000000000 --- a/config/rbac/mcad-controller-ray-clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mcad-controller-ray-clusterrolebinding -subjects: - - kind: ServiceAccount - name: controller-manager - namespace: system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mcad-controller-ray-clusterrole diff --git a/config/rbac/mcad_manager_role.yaml b/config/rbac/mcad_manager_role.yaml deleted file mode 100644 index b414b8e23..000000000 --- a/config/rbac/mcad_manager_role.yaml +++ /dev/null @@ -1,223 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: manual-manager-role -rules: -- apiGroups: - - '*' - resources: - - deployments - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - deployments - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list -- apiGroups: - - coordination.k8s.io - resources: - - kube-scheduler - - leases - verbs: - - create - - get - - update -- apiGroups: - - "" - resources: - - bindings - - pods/binding - verbs: - - create -- apiGroups: - - "" - resources: - - configmaps - - nodes - - persistentvolumeclaims - - persistentvolumes - - secrets - - serviceaccounts - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - endpoints - - kube-scheduler - verbs: - - create - - get - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - "" - resources: - - kube-scheduler - verbs: - - get - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update -- apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - watch -- apiGroups: - - events.k8s.io - resources: - - events - - kube-scheduler - verbs: - - create - - patch - - update -- apiGroups: - - machine.openshift.io - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - scheduling.sigs.k8s.io - resources: - - podgroups - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.k8s.io - resources: - - csidrivers - - csinodes - - csistoragecapacities - verbs: - - get - - list - - watch -- apiGroups: - - workload.codeflare.dev - resources: - - appwrappers - - appwrappers/finalizers - - appwrappers/status - - schedulingspecs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - quota.codeflare.dev - resources: - - quotasubtrees - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/config/rbac/mcad_manager_role_binding.yaml b/config/rbac/mcad_manager_role_binding.yaml deleted file mode 100644 index af6c74ae0..000000000 --- a/config/rbac/mcad_manager_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manual-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manual-manager-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e5a2ca9f4..70a6a861d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,6 +5,18 @@ metadata: creationTimestamp: null name: manager-role rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - "" resources: @@ -19,17 +31,31 @@ rules: resources: - serviceaccounts verbs: + - create - delete - get - patch + - update - apiGroups: - "" resources: - services verbs: + - create + - delete + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create - delete - get - patch + - update - apiGroups: - ray.io resources: @@ -61,14 +87,19 @@ rules: resources: - clusterrolebindings verbs: + - create - delete - get - patch + - update - apiGroups: - route.openshift.io resources: - routes + - routes/custom-host verbs: + - create - delete - get - patch + - update diff --git a/pkg/controllers/raycluster_controller.go b/pkg/controllers/raycluster_controller.go index 23104c2ab..a098f9b27 100644 --- a/pkg/controllers/raycluster_controller.go +++ b/pkg/controllers/raycluster_controller.go @@ -73,11 +73,14 @@ var ( // +kubebuilder:rbac:groups=ray.io,resources=rayclusters,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ray.io,resources=rayclusters/status,verbs=get;update;patch // +kubebuilder:rbac:groups=ray.io,resources=rayclusters/finalizers,verbs=update -// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=patch;delete;get +// +kubebuilder:rbac:groups=route.openshift.io,resources=routes;routes/custom-host,verbs=get;create;update;patch;delete +// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;create;patch;delete;get -// +kubebuilder:rbac:groups=core,resources=services,verbs=patch;delete;get -// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=patch;delete;get -// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=patch;delete;get +// +kubebuilder:rbac:groups=core,resources=services,verbs=get;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;create;update;patch;delete +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create;update;patch;delete +// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create; +// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create; // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.