OCP-on-NERC · memalhot · Sep 3, 2025
diff --git a/gpu-class/cluster_queue_role.yaml → gpu-class/cluster_role.yaml b/gpu-class/cluster_queue_role.yaml → gpu-class/cluster_role.yaml
@@ -6,3 +6,12 @@ rules:
   - apiGroups: ["kueue.x-k8s.io"]
     resources: ["clusterqueues"]
     verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-reader
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list"]
diff --git a/gpu-class/gpu-class-setup.sh b/gpu-class/gpu-class-setup.sh
@@ -16,32 +16,35 @@ create_wb() {
     #set namespace
     namespace=$1
 
-    username=$(oc -n "$ns" get rolebinding edit -o json \
-    | jq -r '
-        (.subjects // [])
-        | map(.name)
-        | map(select(. != "jappavoo-40bu-2edu"))
-        | map(select(. != "sdanni-40redhat-2com"))
-        | map(select(. != "istaplet"))
-        | .[]
-    ')
-
-    user=$(oc -n "$ns" get rolebinding edit -o json \
-    | jq -r '
-        (.subjects // [])
-        | map(.name
-            | if test("@.*\\..*$")
-                then sub("@"; "-40") | gsub("\\.";"-2")
-                else .
-                end)
-        | map(select(. != "jappavoo-40bu-2edu"))
-        | map(select(. != "sdanni-40redhat-2com"))
-        | map(select(. != "istaplet"))
-        | .[]
-    ')
+    # username=$(oc -n "$ns" get rolebinding edit -o json \
+    # | jq -r '
+    #     (.subjects // [])
+    #     | map(.name)
+    #     | map(select(. != "jappavoo-40bu-2edu"))
+    #     | map(select(. != "sdanni-40redhat-2com"))
+    #     | map(select(. != "istaplet"))
+    #     | .[]
+    # ')
+
+    # user=$(oc -n "$ns" get rolebinding edit -o json \
+    # | jq -r '
+    #     (.subjects // [])
+    #     | map(.name
+    #         | if test("@.*\\..*$")
+    #             then sub("@"; "-40") | gsub("\\.";"-2")
+    #             else .
+    #             end)
+    #     | map(select(. != "jappavoo-40bu-2edu"))
+    #     | map(select(. != "sdanni-40redhat-2com"))
+    #     | map(select(. != "istaplet"))
+    #     | .[]
+    # ')
+
+    user="jappavoo-40bu-2edu"
+    username="[email protected]"
 
     # give notebook within namespace a name
-    notebook_name=cs599-${user}-wb
+    notebook_name=csw-dev
 
     params=(
         -p NOTEBOOK_NAME="$notebook_name"
@@ -59,32 +62,32 @@ create_wb() {
     echo "$notebook_name"
 }
 
-apply_localqueue() {
+apply_rolebinding() {
+    #set namespace and nb name
     namespace=$1
+    notebook_name=$2
 
-    local_params=(
+    rb_params=(
         -p NAMESPACE="$namespace"
+        -p SERVICE_ACCOUNT_NB="$notebook_name"
     )
 
-    oc process -f localqueue.yaml --local "${local_params[@]}" | "${create_resource_command[@]}" --as system:admin  1>&2
+    oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
 }
 
-apply_rolebinding() {
-    #set namespace and nb name
+apply_localqueue() {
     namespace=$1
-    notebook_name=$2
 
-    rb_params=(
+    local_params=(
         -p NAMESPACE="$namespace"
-        -p SERVICE_ACCOUNT_NB="$notebook_name"
     )
 
-    oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
+    oc process -f localqueue.yaml --local "${local_params[@]}" | "${create_resource_command[@]}" --as system:admin  1>&2
 }
 
 apply_clusterq() {
 
-    oc apply -f  cluster_queue_role.yaml --as system:admin
+    oc apply -f  cluster_role.yaml --as system:admin
 }
 
 apply_clusterq

diff --git a/gpu-class/notebook_resource.yaml b/gpu-class/notebook_resource.yaml
@@ -31,14 +31,17 @@ objects:
   metadata:
     annotations:
       notebooks.opendatahub.io/inject-oauth: 'true'
-      notebooks.opendatahub.io/last-image-selection: ${IMAGE_NAME}
+      notebooks.opendatahub.io/image-display-name: "csw-dev-F25"
+      notebooks.opendatahub.io/last-image-selection: ${IMAGE_NAME}:latest
       notebooks.opendatahub.io/last-size-selection: Small
+      opendatahub.io/notebook-image-desc: "csw-dev-F25"
       notebooks.opendatahub.io/oauth-logout-url: >-
         ${OPENSHIFT_URL}/${NAMESPACE}?notebookLogout=${NOTEBOOK_NAME}
       opendatahub.io/username: ${USER}
       openshift.io/description: ''
       openshift.io/display-name: ${NOTEBOOK_NAME}
-      opendatahub.io/image-display-name: ${IMAGE_NAME}
+      opendatahub.io/accelerator-name: ''
+      opendatahub.io/hardware-profile-name: ''
     name: ${NOTEBOOK_NAME}
     labels:
       ope-run: ${RUN_NAME}
@@ -100,7 +103,7 @@ objects:
                                     --ServerApp.tornado_settings={"user":"${USER}","hub_host":"${HUB_HOST}","hub_prefix":"projects/${NAMESPACE}"}
               - name: JUPYTER_IMAGE
                 value: >-
-                  ${IMAGE_REPO}/${IMAGE_NAME}
+                  ${IMAGE_REPO}/${IMAGE_NAME}:latest
             ports:
               - containerPort: 8888
                 name: notebook-port
@@ -112,7 +115,7 @@ objects:
               - mountPath: /dev/shm
                 name: shm
             image: >-
-                ${IMAGE_REPO}/${IMAGE_NAME}
+                ${IMAGE_REPO}/${IMAGE_NAME}:latest
             workingDir: /opt/app-root/src
           - resources:
               limits:

diff --git a/gpu-class/rb.yaml b/gpu-class/rb.yaml
@@ -50,6 +50,36 @@ objects:
         name: ${SERVICE_ACCOUNT_NB}
         namespace: ${NAMESPACE}
 
+  # CREATE POD READER ROLE BINDING
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: ${SERVICE_ACCOUNT_NB}-pod-reader
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: pod-reader
+    subjects:
+      - kind: ServiceAccount
+        name: ${SERVICE_ACCOUNT_NB}
+        namespace: ${NAMESPACE}
+
+  # CREATE NODE READER ROLE BINDING
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: ${NAMESPACE}-node-reader
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: node-reader
+    subjects:
+      - kind: ServiceAccount
+        name: ${SERVICE_ACCOUNT_NB}
+        namespace: ${NAMESPACE}
+
   # CREATE ROLE FOR LOCAL QUEUE
   - apiVersion: rbac.authorization.k8s.io/v1
     kind: Role
@@ -80,7 +110,7 @@ objects:
   - apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
-      name: ${SERVICE_ACCOUNT_NB}-kueue-clusterqueue-reader
+      name: ${NAMESPACE}-kueue-clusterqueue-reader
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
@@ -90,6 +120,7 @@ objects:
         name: ${SERVICE_ACCOUNT_NB}
         namespace: ${NAMESPACE}
 
+
   # OC AUTH EXEC (BINDINGS FOR DEFAULT SERVICE ACCOUNT)
   # BIND TO EXISTING EDIT ROLE
   - apiVersion: rbac.authorization.k8s.io/v1