helm_chart/HyperPodHelmChart/charts/mpi-operator/templates/rbac.yaml (211 lines of code) (raw):
apiVersion: v1
kind: Namespace
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpi-operator
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "mpi-operator.fullname" . }}
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
kustomize.component: mpi-operator
{{- include "mpi-operator.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.mpiOperator.serviceAccount.annotations | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "mpi-operator.fullname" . }}-kubeflow-mpijobs-admin
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
kustomize.component: mpi-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
{{- include "mpi-operator.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "mpi-operator.fullname" . }}-kubeflow-mpijobs-edit
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
kustomize.component: mpi-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true"
{{- include "mpi-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- kubeflow.org
resources:
- mpijobs
- mpijobs/status
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "mpi-operator.fullname" . }}-kubeflow-mpijobs-view
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
kustomize.component: mpi-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
{{- include "mpi-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- kubeflow.org
resources:
- mpijobs
- mpijobs/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "mpi-operator.fullname" . }}
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
kustomize.component: mpi-operator
{{- include "mpi-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
- services
verbs:
- create
- list
- watch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- list
- watch
- delete
- update
- patch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- list
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- apiGroups:
- kubeflow.org
resources:
- mpijobs
- mpijobs/finalizers
- mpijobs/status
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- scheduling.incubator.k8s.io
- scheduling.sigs.dev
- scheduling.volcano.sh
resources:
- queues
- podgroups
verbs:
- '*'
- apiGroups:
- scheduling.x-k8s.io
resources:
- podgroups
verbs:
- '*'
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "mpi-operator.fullname" . }}
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
kustomize.component: mpi-operator
{{- include "mpi-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "mpi-operator.fullname" . }}'
subjects:
- kind: ServiceAccount
name: '{{ include "mpi-operator.fullname" . }}'
namespace: '{{ .Release.Namespace }}'