diff --git a/gpu-class/cluster_queue_role.yaml b/gpu-class/cluster_role.yaml similarity index 56% rename from gpu-class/cluster_queue_role.yaml rename to gpu-class/cluster_role.yaml index 9990cce..57c57c6 100644 --- a/gpu-class/cluster_queue_role.yaml +++ b/gpu-class/cluster_role.yaml @@ -6,3 +6,12 @@ rules: - apiGroups: ["kueue.x-k8s.io"] resources: ["clusterqueues"] verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-reader +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] diff --git a/gpu-class/gpu-class-setup.sh b/gpu-class/gpu-class-setup.sh index 098f94f..994ceac 100755 --- a/gpu-class/gpu-class-setup.sh +++ b/gpu-class/gpu-class-setup.sh @@ -16,32 +16,35 @@ create_wb() { #set namespace namespace=$1 - username=$(oc -n "$ns" get rolebinding edit -o json \ - | jq -r ' - (.subjects // []) - | map(.name) - | map(select(. != "jappavoo-40bu-2edu")) - | map(select(. != "sdanni-40redhat-2com")) - | map(select(. != "istaplet")) - | .[] - ') - - user=$(oc -n "$ns" get rolebinding edit -o json \ - | jq -r ' - (.subjects // []) - | map(.name - | if test("@.*\\..*$") - then sub("@"; "-40") | gsub("\\.";"-2") - else . - end) - | map(select(. != "jappavoo-40bu-2edu")) - | map(select(. != "sdanni-40redhat-2com")) - | map(select(. != "istaplet")) - | .[] - ') + # username=$(oc -n "$ns" get rolebinding edit -o json \ + # | jq -r ' + # (.subjects // []) + # | map(.name) + # | map(select(. != "jappavoo-40bu-2edu")) + # | map(select(. != "sdanni-40redhat-2com")) + # | map(select(. != "istaplet")) + # | .[] + # ') + + # user=$(oc -n "$ns" get rolebinding edit -o json \ + # | jq -r ' + # (.subjects // []) + # | map(.name + # | if test("@.*\\..*$") + # then sub("@"; "-40") | gsub("\\.";"-2") + # else . + # end) + # | map(select(. != "jappavoo-40bu-2edu")) + # | map(select(. != "sdanni-40redhat-2com")) + # | map(select(. != "istaplet")) + # | .[] + # ') + + user="jappavoo-40bu-2edu" + username="jappavoo@bu.edu" # give notebook within namespace a name - notebook_name=cs599-${user}-wb + notebook_name=csw-dev params=( -p NOTEBOOK_NAME="$notebook_name" @@ -59,32 +62,32 @@ create_wb() { echo "$notebook_name" } -apply_localqueue() { +apply_rolebinding() { + #set namespace and nb name namespace=$1 + notebook_name=$2 - local_params=( + rb_params=( -p NAMESPACE="$namespace" + -p SERVICE_ACCOUNT_NB="$notebook_name" ) - oc process -f localqueue.yaml --local "${local_params[@]}" | "${create_resource_command[@]}" --as system:admin 1>&2 + oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin } -apply_rolebinding() { - #set namespace and nb name +apply_localqueue() { namespace=$1 - notebook_name=$2 - rb_params=( + local_params=( -p NAMESPACE="$namespace" - -p SERVICE_ACCOUNT_NB="$notebook_name" ) - oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin + oc process -f localqueue.yaml --local "${local_params[@]}" | "${create_resource_command[@]}" --as system:admin 1>&2 } apply_clusterq() { - oc apply -f cluster_queue_role.yaml --as system:admin + oc apply -f cluster_role.yaml --as system:admin } apply_clusterq diff --git a/gpu-class/notebook_resource.yaml b/gpu-class/notebook_resource.yaml index 74557d2..496cffa 100644 --- a/gpu-class/notebook_resource.yaml +++ b/gpu-class/notebook_resource.yaml @@ -31,14 +31,17 @@ objects: metadata: annotations: notebooks.opendatahub.io/inject-oauth: 'true' - notebooks.opendatahub.io/last-image-selection: ${IMAGE_NAME} + notebooks.opendatahub.io/image-display-name: "csw-dev-F25" + notebooks.opendatahub.io/last-image-selection: ${IMAGE_NAME}:latest notebooks.opendatahub.io/last-size-selection: Small + opendatahub.io/notebook-image-desc: "csw-dev-F25" notebooks.opendatahub.io/oauth-logout-url: >- ${OPENSHIFT_URL}/${NAMESPACE}?notebookLogout=${NOTEBOOK_NAME} opendatahub.io/username: ${USER} openshift.io/description: '' openshift.io/display-name: ${NOTEBOOK_NAME} - opendatahub.io/image-display-name: ${IMAGE_NAME} + opendatahub.io/accelerator-name: '' + opendatahub.io/hardware-profile-name: '' name: ${NOTEBOOK_NAME} labels: ope-run: ${RUN_NAME} @@ -100,7 +103,7 @@ objects: --ServerApp.tornado_settings={"user":"${USER}","hub_host":"${HUB_HOST}","hub_prefix":"projects/${NAMESPACE}"} - name: JUPYTER_IMAGE value: >- - ${IMAGE_REPO}/${IMAGE_NAME} + ${IMAGE_REPO}/${IMAGE_NAME}:latest ports: - containerPort: 8888 name: notebook-port @@ -112,7 +115,7 @@ objects: - mountPath: /dev/shm name: shm image: >- - ${IMAGE_REPO}/${IMAGE_NAME} + ${IMAGE_REPO}/${IMAGE_NAME}:latest workingDir: /opt/app-root/src - resources: limits: diff --git a/gpu-class/rb.yaml b/gpu-class/rb.yaml index cabb081..e7191de 100644 --- a/gpu-class/rb.yaml +++ b/gpu-class/rb.yaml @@ -50,6 +50,36 @@ objects: name: ${SERVICE_ACCOUNT_NB} namespace: ${NAMESPACE} + # CREATE POD READER ROLE BINDING + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ${SERVICE_ACCOUNT_NB}-pod-reader + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pod-reader + subjects: + - kind: ServiceAccount + name: ${SERVICE_ACCOUNT_NB} + namespace: ${NAMESPACE} + + # CREATE NODE READER ROLE BINDING + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ${NAMESPACE}-node-reader + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-reader + subjects: + - kind: ServiceAccount + name: ${SERVICE_ACCOUNT_NB} + namespace: ${NAMESPACE} + # CREATE ROLE FOR LOCAL QUEUE - apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -80,7 +110,7 @@ objects: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: ${SERVICE_ACCOUNT_NB}-kueue-clusterqueue-reader + name: ${NAMESPACE}-kueue-clusterqueue-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -90,6 +120,7 @@ objects: name: ${SERVICE_ACCOUNT_NB} namespace: ${NAMESPACE} + # OC AUTH EXEC (BINDINGS FOR DEFAULT SERVICE ACCOUNT) # BIND TO EXISTING EDIT ROLE - apiVersion: rbac.authorization.k8s.io/v1