From fb29eddb0a08479417f3b119a1d02ee187cbd1c6 Mon Sep 17 00:00:00 2001 From: eliyahu77 <40737397+eliyahu77@users.noreply.github.com> Date: Sun, 3 Dec 2023 10:45:56 +0200 Subject: [PATCH] [Jupyter] Add RBAC (#85) Co-authored-by: Alon Maor <48641682+alonmr@users.noreply.github.com> --- charts/mlrun-ce/Chart.yaml | 2 +- .../jupyter-notebook/deployment.yaml | 4 +- .../jupyter-notebook/role-binding.yaml | 13 +++++ .../templates/jupyter-notebook/role.yaml | 51 +++++++++++++++++++ .../jupyter-notebook/serviceaccount.yaml | 6 +++ charts/mlrun-ce/values.yaml | 5 +- 6 files changed, 77 insertions(+), 4 deletions(-) create mode 100644 charts/mlrun-ce/templates/jupyter-notebook/role-binding.yaml create mode 100644 charts/mlrun-ce/templates/jupyter-notebook/role.yaml create mode 100644 charts/mlrun-ce/templates/jupyter-notebook/serviceaccount.yaml diff --git a/charts/mlrun-ce/Chart.yaml b/charts/mlrun-ce/Chart.yaml index 7129a582..657e54db 100644 --- a/charts/mlrun-ce/Chart.yaml +++ b/charts/mlrun-ce/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -version: 0.6.3-rc5 +version: 0.6.3-rc6 name: mlrun-ce description: MLRUn Open Source Stack home: https://iguazio.com diff --git a/charts/mlrun-ce/templates/jupyter-notebook/deployment.yaml b/charts/mlrun-ce/templates/jupyter-notebook/deployment.yaml index b041808a..3dc27524 100644 --- a/charts/mlrun-ce/templates/jupyter-notebook/deployment.yaml +++ b/charts/mlrun-ce/templates/jupyter-notebook/deployment.yaml @@ -15,8 +15,8 @@ spec: labels: {{- include "mlrun-ce.jupyter.selectorLabels" . | nindent 8 }} spec: -{{- if .Values.jupyterNotebook.serviceAccount }} - serviceAccount: {{ .Values.jupyterNotebook.serviceAccount }} +{{- if .Values.jupyterNotebook.serviceAccount.name }} + serviceAccount: {{ .Values.jupyterNotebook.serviceAccount.name }} {{- end }} securityContext: runAsUser: 1000 diff --git a/charts/mlrun-ce/templates/jupyter-notebook/role-binding.yaml b/charts/mlrun-ce/templates/jupyter-notebook/role-binding.yaml new file mode 100644 index 00000000..edc78feb --- /dev/null +++ b/charts/mlrun-ce/templates/jupyter-notebook/role-binding.yaml @@ -0,0 +1,13 @@ +{{- if .Values.jupyterNotebook.enabled -} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: jupyter-role-binding +subjects: + - kind: ServiceAccount + name: {{ .Values.jupyterNotebook.serviceAccount.name }} +roleRef: + kind: Role + name: jupyter-role + apiGroup: rbac.authorization.k8s.io +{{- end -}} diff --git a/charts/mlrun-ce/templates/jupyter-notebook/role.yaml b/charts/mlrun-ce/templates/jupyter-notebook/role.yaml new file mode 100644 index 00000000..06d18fdb --- /dev/null +++ b/charts/mlrun-ce/templates/jupyter-notebook/role.yaml @@ -0,0 +1,51 @@ +{{- if .Values.jupyterNotebook.enabled -} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: jupyter-role +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - apiGroups: + - metrics.k8s.io + resources: + - pods + verbs: + - list + - get + - apiGroups: + - "" + resources: + - services + verbs: + - list + - get + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - list + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create +{{- end -}} diff --git a/charts/mlrun-ce/templates/jupyter-notebook/serviceaccount.yaml b/charts/mlrun-ce/templates/jupyter-notebook/serviceaccount.yaml new file mode 100644 index 00000000..7a68a410 --- /dev/null +++ b/charts/mlrun-ce/templates/jupyter-notebook/serviceaccount.yaml @@ -0,0 +1,6 @@ +{{- if .Values.jupyterNotebook.serviceAccount.create -} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.jupyterNotebook.serviceAccount.name }} +{{- end -}} diff --git a/charts/mlrun-ce/values.yaml b/charts/mlrun-ce/values.yaml index 2e6b786c..ba77183f 100644 --- a/charts/mlrun-ce/values.yaml +++ b/charts/mlrun-ce/values.yaml @@ -147,7 +147,10 @@ mlrun: mode: full jupyterNotebook: - awsInstall: false + serviceAccount: + create: true + name: mlrun-jupyter + awsInstall: false fullnameOverride: mlrun-jupyter name: jupyter-notebook enabled: true