add rbac for system set up guidance

memalhot · memalhot · commit ae84efff4b0f · 2025-12-08T09:48:40.000-05:00
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 ## Overview
 
 `python-batchtools` is a CLI for students and researchers to
-submit **GPU batch jobs** through **Kueue-managed GPU queues** on an
+submit **GPU batch jobs** through Kueue-managed GPU queues on an
 OpenShift cluster. It provides an inexpensive and accessible way to use
 GPU hardware without reserving dedicated GPU nodes.
 
@@ -13,7 +13,7 @@ Users submit GPU jobs with a single command:
 batchtools br "./cuda_program"
 ```
 
-The CLI automatically:
+The CLI will automatically:
 - Creates the batch job<br>
 - Submits it to the appropriate Kueue-managed LocalQueue<br>
 - Tracks job status<br>
@@ -37,13 +37,14 @@ pip install -e .
 
 ## Prerequisites
 
-1.  A Kueue-enabled OpenShift cluster, with local-queues named: v100-localqueue, a100-localqueue, h100-localqueue, dummy-localqueue<br>
+1.  A Kueue-enabled OpenShift cluster, with localqueues named: v100-localqueue, a100-localqueue, h100-localqueue, dummy-localqueue<br>
 2.  An OpenShift account<br>
 3.  The Python OpenShift client:
 
 ``` sh
 pip install openshift-client
 ```
+4. RBAC permissions for the user to have access to jobs, kueue resources like localqueues and clusterqueues. See **rbac** folder for setup.
 
 # Usage Examples
 
diff --git a/rbac/clusterrole.yaml b/rbac/clusterrole.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kueue-clusterqueue-reader
+rules:
+  - apiGroups: ["kueue.x-k8s.io"]
+    resources: ["clusterqueues"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-reader
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
diff --git a/rbac/jobs.yaml b/rbac/jobs.yaml
@@ -0,0 +1,134 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: rbac-default-edit-and-jobs
+parameters:
+  - name: NAMESPACE
+    required: true
+  - name: SERVICE_ACCOUNT_NB
+    required: true
+objects:
+  # OC AUTH WB (BINDINGS FOR WORKBOOKS)
+  # ROLEBINDING FOR EXISTING EDIT ROLE
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: ${SERVICE_ACCOUNT_NB}-edit
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: edit
+    subjects:
+      - kind: ServiceAccount
+        name: ${SERVICE_ACCOUNT_NB}
+        namespace: ${NAMESPACE}
+
+  # CREATE ROLE EDIT-JOBS
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: edit-jobs
+      namespace: ${NAMESPACE}
+    rules:
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+  # BIND EDIT-JOBS TO THE NOTEBOOK SA
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: ${SERVICE_ACCOUNT_NB}-edit-jobs
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: edit-jobs
+    subjects:
+      - kind: ServiceAccount
+        name: ${SERVICE_ACCOUNT_NB}
+        namespace: ${NAMESPACE}
+
+  # CREATE ROLE FOR LOCAL QUEUE
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: kueue-localqueue-reader
+      namespace: ${NAMESPACE}
+    rules:
+      - apiGroups: ["kueue.x-k8s.io"]
+        resources: ["localqueues"]
+        verbs: ["get", "list", "watch"]
+
+  # BIND LOCAL QUEUE READER TO THE NOTEBOOK SA
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: ${SERVICE_ACCOUNT_NB}-kueue-localqueue-reader
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: kueue-localqueue-reader
+    subjects:
+      - kind: ServiceAccount
+        name: ${SERVICE_ACCOUNT_NB}
+        namespace: ${NAMESPACE}
+
+  # OC AUTH EXEC (BINDINGS FOR DEFAULT SERVICE ACCOUNT)
+  # BIND TO EXISTING EDIT ROLE
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: default-edit
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: edit
+    subjects:
+      - kind: ServiceAccount
+        name: default
+        namespace: ${NAMESPACE}
+
+  # BIND TO INTERACTING WITH JOBS ROLE
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: default-edit-jobs
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: edit-jobs
+    subjects:
+      - kind: ServiceAccount
+        name: default
+        namespace: ${NAMESPACE}
+
+  # PODS/EXEC ROLE
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: default-edit-pods-exec
+      namespace: ${NAMESPACE}
+    rules:
+      - apiGroups: [""]
+        resources: ["pods/exec"]
+        verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+  # BIND PODS/EXEC ROLE
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: default-edit-pods-exec
+      namespace: ${NAMESPACE}
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: default-edit-pods-exec
+    subjects:
+      - kind: ServiceAccount
+        name: default
+        namespace: ${NAMESPACE}
diff --git a/rbac/localqueue.yaml b/rbac/localqueue.yaml
@@ -0,0 +1,29 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: localqueue
+parameters:
+  - name: NAMESPACE
+    required: true
+objects:
+  - apiVersion: kueue.x-k8s.io/v1beta1
+    kind: LocalQueue
+    metadata:
+      name: v100-localqueue
+      namespace: ${NAMESPACE}
+    spec:
+      clusterQueue: v100-clusterqueue
+  - apiVersion: kueue.x-k8s.io/v1beta1
+    kind: LocalQueue
+    metadata:
+      name: a100-localqueue
+      namespace: ${NAMESPACE}
+    spec:
+      clusterQueue: a100-clusterqueue
+  - apiVersion: kueue.x-k8s.io/v1beta1
+    kind: LocalQueue
+    metadata:
+      name: h100-localqueue
+      namespace: ${NAMESPACE}
+    spec:
+      clusterQueue: h100-clusterqueue
