From 284e753946749a9e0fc2dc81e646e9cb12912f4f Mon Sep 17 00:00:00 2001 From: David Grove Date: Mon, 24 Jun 2024 16:35:47 -0400 Subject: [PATCH 1/2] use correct apiGroup for rayclsuters in rbac annotation for appwrappers. --- config/rbac/role.yaml | 12 ------------ pkg/controllers/appwrapper_controller.go | 2 +- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 454881679..02693cce0 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -99,18 +99,6 @@ rules: - patch - update - watch -- apiGroups: - - cluster.ray.io - resources: - - rayclusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - config.openshift.io resources: diff --git a/pkg/controllers/appwrapper_controller.go b/pkg/controllers/appwrapper_controller.go index 11684f5bf..6ce476f94 100644 --- a/pkg/controllers/appwrapper_controller.go +++ b/pkg/controllers/appwrapper_controller.go @@ -30,7 +30,7 @@ package controllers //+kubebuilder:rbac:groups=scheduling.sigs.k8s.io,resources=podgroups,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=scheduling.x-k8s.io,resources=podgroups,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=kubeflow.org,resources=pytorchjobs,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=cluster.ray.io,resources=rayclusters,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=ray.io,resources=rayclusters,verbs=get;list;watch;create;update;patch;delete // permissions needed by Kueue's generic reconciller // +kubebuilder:rbac:groups=scheduling.k8s.io,resources=priorityclasses,verbs=list;get;watch From 9aa42bf7247341409004f2c2df4aeb13c197ed24 Mon Sep 17 00:00:00 2001 From: David Grove Date: Mon, 24 Jun 2024 16:59:16 -0400 Subject: [PATCH 2/2] add rayjobs to appwrapper rbacs --- config/rbac/role.yaml | 12 ++++++++++++ pkg/controllers/appwrapper_controller.go | 1 + 2 files changed, 13 insertions(+) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 02693cce0..073b261aa 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -242,6 +242,18 @@ rules: - get - patch - update +- apiGroups: + - ray.io + resources: + - rayjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/pkg/controllers/appwrapper_controller.go b/pkg/controllers/appwrapper_controller.go index 6ce476f94..cab8ef375 100644 --- a/pkg/controllers/appwrapper_controller.go +++ b/pkg/controllers/appwrapper_controller.go @@ -31,6 +31,7 @@ package controllers //+kubebuilder:rbac:groups=scheduling.x-k8s.io,resources=podgroups,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=kubeflow.org,resources=pytorchjobs,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=ray.io,resources=rayclusters,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=ray.io,resources=rayjobs,verbs=get;list;watch;create;update;patch;delete // permissions needed by Kueue's generic reconciller // +kubebuilder:rbac:groups=scheduling.k8s.io,resources=priorityclasses,verbs=list;get;watch