Skip to content

Commit

Permalink
Make rbac configurable
Browse files Browse the repository at this point in the history
Signed-off-by: Mücahit Kantepe <[email protected]>
  • Loading branch information
Mücahit Kantepe committed Aug 21, 2023
1 parent 5600298 commit 2aad448
Show file tree
Hide file tree
Showing 11 changed files with 57 additions and 45 deletions.
6 changes: 5 additions & 1 deletion charts/flyte-core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,13 @@ helm install gateway bitnami/contour -n flyte
| flyteadmin.resources | object | `{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Flyteadmin deployment |
| flyteadmin.secrets | object | `{}` | |
| flyteadmin.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"}` | Service settings for Flyteadmin |
| flyteadmin.serviceAccount | object | `{"alwaysCreate":false,"annotations":{},"create":true,"createClusterRole":true,"imagePullSecrets":[]}` | Configuration for service accounts for FlyteAdmin |
| flyteadmin.serviceAccount | object | `{"alwaysCreate":false,"annotations":{},"clusterRole":{"apiGroups":["","flyte.lyft.com","rbac.authorization.k8s.io"],"resources":["configmaps","flyteworkflows","namespaces","pods","resourcequotas","roles","rolebindings","secrets","services","serviceaccounts","spark-role","limitranges"],"verbs":["*"]},"create":true,"createClusterRole":true,"imagePullSecrets":[]}` | Configuration for service accounts for FlyteAdmin |
| flyteadmin.serviceAccount.alwaysCreate | bool | `false` | Should a service account always be created for flyteadmin even without an actual flyteadmin deployment running (e.g. for multi-cluster setups) |
| flyteadmin.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to Flyteadmin pods |
| flyteadmin.serviceAccount.clusterRole | object | `{"apiGroups":["","flyte.lyft.com","rbac.authorization.k8s.io"],"resources":["configmaps","flyteworkflows","namespaces","pods","resourcequotas","roles","rolebindings","secrets","services","serviceaccounts","spark-role","limitranges"],"verbs":["*"]}` | Configuration for ClusterRole created for Flyteadmin |
| flyteadmin.serviceAccount.clusterRole.apiGroups | list | `["","flyte.lyft.com","rbac.authorization.k8s.io"]` | Specifies the API groups that this ClusterRole can access |
| flyteadmin.serviceAccount.clusterRole.resources | list | `["configmaps","flyteworkflows","namespaces","pods","resourcequotas","roles","rolebindings","secrets","services","serviceaccounts","spark-role","limitranges"]` | Specifies the resources that this ClusterRole can access |
| flyteadmin.serviceAccount.clusterRole.verbs | list | `["*"]` | Specifies the verbs (actions) that this ClusterRole can perform on the specified resources |
| flyteadmin.serviceAccount.create | bool | `true` | Should a service account be created for flyteadmin |
| flyteadmin.serviceAccount.createClusterRole | bool | `true` | Should a ClusterRole be created for Flyteadmin |
| flyteadmin.serviceAccount.imagePullSecrets | list | `[]` | ImagePullSecrets to automatically assign to the service account |
Expand Down
23 changes: 3 additions & 20 deletions charts/flyte-core/templates/admin/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,9 @@ metadata:
name: {{ template "flyte.namespace" . -}}-{{- template "flyteadmin.name" . }}
labels: {{ include "flyteadmin.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
- configmaps
- flyteworkflows
- namespaces
- pods
- resourcequotas
- roles
- rolebindings
- secrets
- services
- serviceaccounts
- spark-role
- limitranges
verbs:
- '*'

- apiGroups: {{ toYaml .Values.flyteadmin.serviceAccount.clusterRole.apiGroups | nindent 2 }}
resources: {{ toYaml .Values.flyteadmin.serviceAccount.clusterRole.resources | nindent 2 }}
verbs: {{ toYaml .Values.flyteadmin.serviceAccount.clusterRole.verbs | nindent 2 }}
---
{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
Expand Down
25 changes: 25 additions & 0 deletions charts/flyte-core/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,30 @@ flyteadmin:
imagePullSecrets: []
# -- Should a ClusterRole be created for Flyteadmin
createClusterRole: true
# -- Configuration for ClusterRole created for Flyteadmin
clusterRole:
# -- Specifies the API groups that this ClusterRole can access
apiGroups:
- ""
- "flyte.lyft.com"
- "rbac.authorization.k8s.io"
# -- Specifies the resources that this ClusterRole can access
resources:
- configmaps
- flyteworkflows
- namespaces
- pods
- resourcequotas
- roles
- rolebindings
- secrets
- services
- serviceaccounts
- spark-role
- limitranges
# -- Specifies the verbs (actions) that this ClusterRole can perform on the specified resources
verbs:
- '*'
# -- Annotations for Flyteadmin pods
podAnnotations: {}
# -- nodeSelector for Flyteadmin deployment
Expand Down Expand Up @@ -575,6 +599,7 @@ configmap:
eventVersion: 2
testing:
host: http://flyteadmin

# -- Authentication configuration
auth:
authorizedUris:
Expand Down
6 changes: 3 additions & 3 deletions deployment/eks/flyte_aws_scheduler_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -556,11 +556,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -573,7 +573,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/propeller/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/eks/flyte_helm_controlplane_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -409,11 +409,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -426,7 +426,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/admin/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/eks/flyte_helm_dataplane_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -221,11 +221,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -238,7 +238,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/propeller/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/eks/flyte_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -587,11 +587,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -604,7 +604,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/propeller/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/gcp/flyte_helm_controlplane_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -422,11 +422,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -439,7 +439,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/admin/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/gcp/flyte_helm_dataplane_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -229,11 +229,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -246,7 +246,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/propeller/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/gcp/flyte_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -608,11 +608,11 @@ metadata:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -625,7 +625,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte-core/templates/propeller/rbac.yaml
Expand Down
6 changes: 3 additions & 3 deletions deployment/sandbox/flyte_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5501,11 +5501,11 @@ metadata:
helm.sh/chart: flyte-v0.1.10
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- apiGroups:
- ""
- flyte.lyft.com
- rbac.authorization.k8s.io
resources:
resources:
- configmaps
- flyteworkflows
- namespaces
Expand All @@ -5518,7 +5518,7 @@ rules:
- serviceaccounts
- spark-role
- limitranges
verbs:
verbs:
- '*'
---
# Source: flyte/charts/flyte/templates/propeller/rbac.yaml
Expand Down

0 comments on commit 2aad448

Please sign in to comment.