From 659295131721373af53a1457b344db71990b174a Mon Sep 17 00:00:00 2001 From: velotioaastha Date: Fri, 17 May 2024 18:38:15 +0530 Subject: [PATCH] update wandb-console-role and manager-role permissions --- charts/operator-wandb/Chart.yaml | 2 +- .../charts/console/templates/clusterrole.yaml | 16 +++- charts/operator/Chart.yaml | 2 +- charts/operator/README.md | 2 +- charts/operator/templates/role.yaml | 81 ++++++++++++++++++- charts/operator/values.yaml | 6 -- 6 files changed, 95 insertions(+), 14 deletions(-) diff --git a/charts/operator-wandb/Chart.yaml b/charts/operator-wandb/Chart.yaml index 3d135490..2db35504 100644 --- a/charts/operator-wandb/Chart.yaml +++ b/charts/operator-wandb/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: operator-wandb description: A Helm chart for deploying W&B to Kubernetes type: application -version: 0.13.0 +version: 0.13.1 appVersion: 1.0.0 icon: https://wandb.ai/logo.svg diff --git a/charts/operator-wandb/charts/console/templates/clusterrole.yaml b/charts/operator-wandb/charts/console/templates/clusterrole.yaml index b935012e..75bd5a9e 100644 --- a/charts/operator-wandb/charts/console/templates/clusterrole.yaml +++ b/charts/operator-wandb/charts/console/templates/clusterrole.yaml @@ -16,8 +16,16 @@ metadata: {{- toYaml .Values.clusterRole.annotations | nindent 4 }} {{- end }} rules: - # We can scope these permissions down later - - apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "patch"] +- apiGroups: [""] + resources: ["nodes", "namespaces", "pods", "pods/log", "configmaps", "services", "serviceaccounts", "events"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "statefulsets", "daemonsets", "replicasets", "controllerrevisions"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["deployments/status", "statefulsets/status", "daemonsets/status", "replicasets/status"] + verbs: ["get"] {{- end }} \ No newline at end of file diff --git a/charts/operator/Chart.yaml b/charts/operator/Chart.yaml index a3946463..73a9dad1 100644 --- a/charts/operator/Chart.yaml +++ b/charts/operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: operator description: A Helm chart for Weights & Biases operator type: application -version: 1.1.3 +version: 1.1.4 appVersion: "1.0.0" maintainers: - name: wandb diff --git a/charts/operator/README.md b/charts/operator/README.md index 8abbbfb1..7e7bee62 100644 --- a/charts/operator/README.md +++ b/charts/operator/README.md @@ -13,6 +13,6 @@ helm upgrade --install operator wandb/operator ``` git clone https://github.com/wandb/helm-charts.git -cd helm-charts +cd helm-charts/charts/operator helm upgrade --namespace=wandb --create-namespace --install operator . ``` diff --git a/charts/operator/templates/role.yaml b/charts/operator/templates/role.yaml index 06f72713..58617d7e 100644 --- a/charts/operator/templates/role.yaml +++ b/charts/operator/templates/role.yaml @@ -3,4 +3,83 @@ kind: ClusterRole metadata: name: {{ include "name" . }}-manager-role rules: -{{ toYaml .Values.clusterRole.rules | indent 2 }} \ No newline at end of file +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - services/finalizers + - secrets + - persistentvolumeclaims + - persistentvolumes + - configmaps + - pods + - events + verbs: + - create + - patch + - delete + - update +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - patch + - delete + - update +- apiGroups: + - apps.wandb.com + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - create + - update + - delete + - patch + - bind + - escalate +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - update + - delete + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - create + - patch + - update + - delete +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update diff --git a/charts/operator/values.yaml b/charts/operator/values.yaml index 3748f2cc..7b77892d 100644 --- a/charts/operator/values.yaml +++ b/charts/operator/values.yaml @@ -27,10 +27,4 @@ manager: serviceAccount: create: true -clusterRole: - rules: - - apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] - airgapped: false