Skip to content

Commit 70d2e23

Browse files
DanNiEShDanNiESh
committed
Update workbench roles
1 parent 16d23b5 commit 70d2e23

File tree

7 files changed

+98
-62
lines changed

7 files changed

+98
-62
lines changed

cronjobs/nb-culler/cronjob.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,4 +124,4 @@ spec:
124124
imagePullPolicy: IfNotPresent
125125
dnsPolicy: ClusterFirst
126126
successfulJobsHistoryLimit: 7
127-
failedJobsHistoryLimit: 7
127+
failedJobsHistoryLimit: 7

gpu-class/cluster_queue_role.yaml

Lines changed: 0 additions & 8 deletions
This file was deleted.

gpu-class/clusterrole.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: kueue-clusterqueue-reader
5+
rules:
6+
- apiGroups: ["kueue.x-k8s.io"]
7+
resources: ["clusterqueues"]
8+
verbs: ["get", "list", "watch"]
9+
---
10+
apiVersion: rbac.authorization.k8s.io/v1
11+
kind: ClusterRole
12+
metadata:
13+
name: node-reader
14+
rules:
15+
- apiGroups: [""]
16+
resources: ["nodes"]
17+
verbs: ["get", "list"]
18+
---
19+
apiVersion: rbac.authorization.k8s.io/v1
20+
kind: ClusterRole
21+
metadata:
22+
name: pod-reader
23+
rules:
24+
- apiGroups: [""]
25+
resources: ["pods"]
26+
verbs: ["get", "list"]

gpu-class/clusterrolebinding.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# CREATE KUEUE CLUSTER QUEUE READER CLUSTERROLE BINDING
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
kind: ClusterRoleBinding
4+
metadata:
5+
name: csw-kueue-clusterqueue-reader
6+
roleRef:
7+
apiGroup: rbac.authorization.k8s.io
8+
kind: ClusterRole
9+
name: kueue-clusterqueue-reader
10+
subjects:
11+
- kind: Group
12+
name: cs599-pmpp
13+
apiGroup: rbac.authorization.k8s.io
14+
---
15+
# CREATE POD READER CLUSTERROLE BINDING
16+
apiVersion: rbac.authorization.k8s.io/v1
17+
kind: ClusterRoleBinding
18+
metadata:
19+
name: csw-pod-reader
20+
roleRef:
21+
apiGroup: rbac.authorization.k8s.io
22+
kind: ClusterRole
23+
name: pod-reader
24+
subjects:
25+
- kind: Group
26+
name: cs599-pmpp
27+
apiGroup: rbac.authorization.k8s.io
28+
---
29+
# CREATE NODE READER CLUSTERROLE BINDING
30+
apiVersion: rbac.authorization.k8s.io/v1
31+
kind: ClusterRoleBinding
32+
metadata:
33+
name: csw-node-reader
34+
roleRef:
35+
apiGroup: rbac.authorization.k8s.io
36+
kind: ClusterRole
37+
name: node-reader
38+
subjects:
39+
- kind: Group
40+
name: cs599-pmpp
41+
apiGroup: rbac.authorization.k8s.io

gpu-class/gpu-class-setup.sh

Lines changed: 28 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -11,37 +11,15 @@ run_name="gpu_class_test"
1111
image_name="csw-dev-f25"
1212

1313
create_wb() {
14-
random_id=$(openssl rand -hex 3)
15-
1614
#set namespace
1715
namespace=$1
1816

19-
username=$(oc -n "$ns" get rolebinding edit -o json \
20-
| jq -r '
21-
(.subjects // [])
22-
| map(.name)
23-
| map(select(. != "jappavoo-40bu-2edu"))
24-
| map(select(. != "sdanni-40redhat-2com"))
25-
| map(select(. != "istaplet"))
26-
| .[]
27-
')
28-
29-
user=$(oc -n "$ns" get rolebinding edit -o json \
30-
| jq -r '
31-
(.subjects // [])
32-
| map(.name
33-
| if test("@.*\\..*$")
34-
then sub("@"; "-40") | gsub("\\.";"-2")
35-
else .
36-
end)
37-
| map(select(. != "jappavoo-40bu-2edu"))
38-
| map(select(. != "sdanni-40redhat-2com"))
39-
| map(select(. != "istaplet"))
40-
| .[]
41-
')
17+
username="[email protected]"
18+
19+
user="jappavoo-40bu-2edu"
4220

4321
# give notebook within namespace a name
44-
notebook_name=cs599-${user}-wb
22+
notebook_name="csw-dev"
4523

4624
params=(
4725
-p NOTEBOOK_NAME="$notebook_name"
@@ -79,22 +57,35 @@ apply_rolebinding() {
7957
-p SERVICE_ACCOUNT_NB="$notebook_name"
8058
)
8159

82-
oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
60+
oc process -f rbac_template.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
8361
}
8462

85-
apply_clusterq() {
63+
create_clusterrole_bindings() {
64+
65+
oc apply -f clusterrole.yaml --as system:admin
66+
# oc create will fail if resource exists (safer)
67+
oc create -f clusterrolebinding.yaml --as system:admin
68+
}
69+
70+
add_sa_to_clusterrolebinding() {
71+
namespace=$1
72+
notebook_name=$2
8673

87-
oc apply -f cluster_queue_role.yaml --as system:admin
74+
oc adm policy add-cluster-role-to-user pod-reader --rolebinding-name="csw-pod-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
75+
oc adm policy add-cluster-role-to-user node-reader --rolebinding-name="csw-node-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
76+
oc adm policy add-cluster-role-to-user kueue-clusterqueue-reader --rolebinding-name="csw-kueue-clusterqueue-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
8877
}
8978

90-
apply_clusterq
79+
create_clusterrole_bindings
9180

92-
oc get ns | grep "^${CLASS_NAME}-" | awk '{print $1}' | while read ns; do
93-
oc project "$ns"
81+
#oc get ns | grep "^${CLASS_NAME}-" | awk '{print $1}' | while read ns; do
82+
ns="bu-cs599-pmpp-cuda-71cd48"
83+
oc project "$ns"
9484

95-
#create a workbench and save the name of the notebook to apply rolebindings
96-
nb_name="$(create_wb "$ns")"
97-
apply_rolebinding "$ns" "$nb_name"
98-
apply_localqueue "$ns"
85+
#create a workbench and save the name of the notebook to apply rolebindings
86+
nb_name="$(create_wb "$ns")"
87+
apply_rolebinding "$ns" "$nb_name"
88+
apply_localqueue "$ns"
89+
add_sa_to_clusterrolebinding "$ns" "$nb_name"
9990

100-
done
91+
#done

gpu-class/notebook_resource.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ objects:
100100
--ServerApp.tornado_settings={"user":"${USER}","hub_host":"${HUB_HOST}","hub_prefix":"projects/${NAMESPACE}"}
101101
- name: JUPYTER_IMAGE
102102
value: >-
103-
${IMAGE_REPO}/${IMAGE_NAME}
103+
${IMAGE_REPO}/${IMAGE_NAME}:latest
104104
ports:
105105
- containerPort: 8888
106106
name: notebook-port
@@ -112,7 +112,7 @@ objects:
112112
- mountPath: /dev/shm
113113
name: shm
114114
image: >-
115-
${IMAGE_REPO}/${IMAGE_NAME}
115+
${IMAGE_REPO}/${IMAGE_NAME}:latest
116116
workingDir: /opt/app-root/src
117117
- resources:
118118
limits:

gpu-class/rb.yaml renamed to gpu-class/rbac_template.yaml

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -76,20 +76,6 @@ objects:
7676
name: ${SERVICE_ACCOUNT_NB}
7777
namespace: ${NAMESPACE}
7878

79-
# CLUSTER QUEUE ROLEBINDING
80-
- apiVersion: rbac.authorization.k8s.io/v1
81-
kind: ClusterRoleBinding
82-
metadata:
83-
name: ${SERVICE_ACCOUNT_NB}-kueue-clusterqueue-reader
84-
roleRef:
85-
apiGroup: rbac.authorization.k8s.io
86-
kind: ClusterRole
87-
name: kueue-clusterqueue-reader
88-
subjects:
89-
- kind: ServiceAccount
90-
name: ${SERVICE_ACCOUNT_NB}
91-
namespace: ${NAMESPACE}
92-
9379
# OC AUTH EXEC (BINDINGS FOR DEFAULT SERVICE ACCOUNT)
9480
# BIND TO EXISTING EDIT ROLE
9581
- apiVersion: rbac.authorization.k8s.io/v1

0 commit comments

Comments
 (0)