From 4ec2e239855fefeda245779151f88218dcf78d35 Mon Sep 17 00:00:00 2001 From: Dean Roehrich Date: Thu, 5 Dec 2024 12:24:22 -0600 Subject: [PATCH] Add the RBAC bits for the new copy-offload daemon Signed-off-by: Dean Roehrich --- config/copy-offload/copy_offload_role.yaml | 62 +++++++++++++++++++ .../copy_offload_role_binding.yaml | 12 ++++ .../copy_offload_service_account.yaml | 18 ++++++ config/copy-offload/kustomization.yaml | 14 +++++ config/copy-offload/kustomizeconfig.yaml | 4 ++ config/dp0/kustomization.yaml | 2 +- config/kind/kustomization.yaml | 2 +- config/top/kustomization.yaml | 3 + 8 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 config/copy-offload/copy_offload_role.yaml create mode 100644 config/copy-offload/copy_offload_role_binding.yaml create mode 100644 config/copy-offload/copy_offload_service_account.yaml create mode 100644 config/copy-offload/kustomization.yaml create mode 100644 config/copy-offload/kustomizeconfig.yaml create mode 100644 config/top/kustomization.yaml diff --git a/config/copy-offload/copy_offload_role.yaml b/config/copy-offload/copy_offload_role.yaml new file mode 100644 index 00000000..e38e88d2 --- /dev/null +++ b/config/copy-offload/copy_offload_role.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: copy-offload-role +rules: +- apiGroups: + - lus.cray.hpe.com + resources: + - lustrefilesystems + verbs: + - get + - list + - watch +- apiGroups: + - dataworkflowservices.github.io + resources: + - workflows + verbs: + - get + - list + - watch +- apiGroups: + - dataworkflowservices.github.io + resources: + - clientmounts + verbs: + - get + - list + - watch +- apiGroups: + - nnf.cray.hpe.com + resources: + - nnfdatamovementprofiles + verbs: + - get + - list + - watch +- apiGroups: + - nnf.cray.hpe.com + resources: + - nnfnodes + verbs: + - get + - list + - watch +- apiGroups: + - nnf.cray.hpe.com + resources: + - nnfnodestorages + verbs: + - get + - list + - watch +- apiGroups: + - nnf.cray.hpe.com + resources: + - nnfstorages + verbs: + - get + - list + - watch diff --git a/config/copy-offload/copy_offload_role_binding.yaml b/config/copy-offload/copy_offload_role_binding.yaml new file mode 100644 index 00000000..d91da0bd --- /dev/null +++ b/config/copy-offload/copy_offload_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: copy-offload-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: copy-offload-role +subjects: +- kind: ServiceAccount + name: copy-offload + namespace: default diff --git a/config/copy-offload/copy_offload_service_account.yaml b/config/copy-offload/copy_offload_service_account.yaml new file mode 100644 index 00000000..386cf507 --- /dev/null +++ b/config/copy-offload/copy_offload_service_account.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: copy-offload + namespace: default +--- +# As of Kubernetes 1.24, ServiceAccount tokens are no longer automatically +# generated. Instead, manually create the secret and the token key in the +# data field will be automatically set. +apiVersion: v1 +kind: Secret +metadata: + name: copy-offload + namespace: default + annotations: + kubernetes.io/service-account.name: copy-offload + kubernetes.io/service-account.namespace: default +type: kubernetes.io/service-account-token diff --git a/config/copy-offload/kustomization.yaml b/config/copy-offload/kustomization.yaml new file mode 100644 index 00000000..f11e9d1d --- /dev/null +++ b/config/copy-offload/kustomization.yaml @@ -0,0 +1,14 @@ +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: nnf-dm- + +resources: +- copy_offload_service_account.yaml +- copy_offload_role.yaml +- copy_offload_role_binding.yaml + +configurations: + - kustomizeconfig.yaml diff --git a/config/copy-offload/kustomizeconfig.yaml b/config/copy-offload/kustomizeconfig.yaml new file mode 100644 index 00000000..a8cc96ae --- /dev/null +++ b/config/copy-offload/kustomizeconfig.yaml @@ -0,0 +1,4 @@ +namePrefix: +- path: metadata/annotations/kubernetes.io\/service-account.name +namespace: +- path: metadata/annotations/kubernetes.io\/service-account.namespace \ No newline at end of file diff --git a/config/dp0/kustomization.yaml b/config/dp0/kustomization.yaml index 24906530..c40d50a8 100644 --- a/config/dp0/kustomization.yaml +++ b/config/dp0/kustomization.yaml @@ -1,5 +1,5 @@ resources: -- ../default +- ../top patches: # Arguments for the controller manager that are specific to dp0 diff --git a/config/kind/kustomization.yaml b/config/kind/kustomization.yaml index 79167862..b29333e6 100644 --- a/config/kind/kustomization.yaml +++ b/config/kind/kustomization.yaml @@ -1,5 +1,5 @@ resources: -- ../default +- ../top patches: # Arguments for the controller manager that are specific to kind diff --git a/config/top/kustomization.yaml b/config/top/kustomization.yaml new file mode 100644 index 00000000..b0db3da3 --- /dev/null +++ b/config/top/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- ../default +- ../copy-offload