fix: split EPP RBAC into cluster and namespaced scoped permission #1071

chewong · 2025-06-26T04:17:07Z

Fixes #224

Testing:

helm upgrade -i epp ./config/charts/inferencepool

# in a curl pod
curl 10.0.227.159/v1/models
{"object":"list","data":[{"id":"...

Split EPP RBAC into cluster and namespaced scoped permission

netlify · 2025-06-26T04:17:26Z

✅ Deploy Preview for gateway-api-inference-extension ready!

Name	Link
🔨 Latest commit	`6524475`
🔍 Latest deploy log	https://app.netlify.com/projects/gateway-api-inference-extension/deploys/68893226f1f2bd0008d947b7
😎 Deploy Preview	https://deploy-preview-1071--gateway-api-inference-extension.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

nirrozenbaum · 2025-06-26T05:24:40Z

thanks for the PR 👍 .

can you update also here and here?

test/testdata/inferencepool-e2e.yaml

danehans · 2025-06-26T18:17:09Z

I think the test utils/suite need to be updated too:

$ grep -ri ClusterRole .
./config/charts/inferencepool/templates/rbac.yaml:kind: ClusterRole
./config/charts/inferencepool/templates/rbac.yaml:kind: ClusterRoleBinding
./config/charts/inferencepool/templates/rbac.yaml:  kind: ClusterRole
./config/manifests/inferencepool-resources.yaml:kind: ClusterRole
./config/manifests/inferencepool-resources.yaml:kind: ClusterRoleBinding
./config/manifests/inferencepool-resources.yaml:  kind: ClusterRole
./test/testdata/metrics-rbac.yaml:kind: ClusterRole
./test/testdata/metrics-rbac.yaml:kind: ClusterRoleBinding
./test/testdata/metrics-rbac.yaml:  kind: ClusterRole
./test/testdata/inferencepool-e2e.yaml:kind: ClusterRole
./test/testdata/inferencepool-e2e.yaml:kind: ClusterRoleBinding
./test/testdata/inferencepool-e2e.yaml:  kind: ClusterRole
./test/e2e/epp/e2e_suite_test.go:	// Wait for the clusterrole to exist.
./test/e2e/epp/e2e_suite_test.go:		return k8sClient.Get(ctx, types.NamespacedName{Name: "pod-read"}, &rbacv1.ClusterRole{})
./test/e2e/epp/e2e_suite_test.go:	// Wait for the clusterrolebinding to exist.
./test/e2e/epp/e2e_suite_test.go:		return k8sClient.Get(ctx, types.NamespacedName{Name: "pod-read-binding"}, &rbacv1.ClusterRoleBinding{})
./test/utils/utils.go:	binding := &rbacv1.ClusterRoleBinding{
./test/utils/utils.go:	role := &rbacv1.ClusterRole{
./test/utils/utils.go:	metricsReaderBinding := &rbacv1.ClusterRoleBinding{
./test/utils/utils.go:	metricsReaderRole := &rbacv1.ClusterRole{
./Makefile:manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
...
./site-src/guides/metrics-and-observability.md:To scrape metrics, the client needs a ClusterRole with the following rule:
./site-src/guides/metrics-and-observability.md:kind: ClusterRole
./site-src/guides/metrics-and-observability.md:kind: ClusterRoleBinding
./site-src/guides/metrics-and-observability.md:  kind: ClusterRole
...

danehans · 2025-06-27T22:43:28Z

This will be a breaking change for implementations. @nirrozenbaum @kfswain @ahg-g we need a way to ensure breaking changes are highlighted when a release is cut.

danehans · 2025-06-27T22:46:34Z

nit: Update comment from "ClusterRole" to "Role" or "RBAC":

./Makefile:manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.

/lgtm

danehans · 2025-06-27T22:53:46Z

/lgtm

nirrozenbaum · 2025-06-29T07:40:36Z

This will be a breaking change for implementations. @nirrozenbaum @kfswain @ahg-g we need a way to ensure breaking changes are highlighted when a release is cut.

how about adding a label (gie-area/breaking-change) and label the PR. then add instructions to whoever is doing the release to go over the list of PRs and highlight what's needed?

kfswain · 2025-06-30T16:04:39Z

This will be a breaking change for implementations. @nirrozenbaum @kfswain @ahg-g we need a way to ensure breaking changes are highlighted when a release is cut.

how about adding a label (gie-area/breaking-change) and label the PR. then add instructions to whoever is doing the release to go over the list of PRs and highlight what's needed?

We could also tag breaking PRs in a comment on the release tracking issue/milestone

chewong · 2025-07-01T22:32:32Z

Raised a PR in test-infra to create a new label called kind/breaking-change - kubernetes/test-infra#35069

ahg-g · 2025-07-08T22:13:13Z

anything pending on merging this PR?

chewong · 2025-07-08T23:18:06Z

Added release note in the PR description. Nothing pending on merging this PR.

Signed-off-by: Ernest Wong <[email protected]>

chewong · 2025-07-29T21:05:09Z

@ahg-g @nirrozenbaum could you take another look?

ahg-g · 2025-07-31T07:45:04Z

/lgtm
/approve
/hold cancel

k8s-ci-robot · 2025-07-31T07:45:12Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahg-g, chewong

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [ahg-g]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

nirrozenbaum · 2025-07-31T08:03:29Z

config/charts/inferencepool/templates/rbac.yaml

+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway-api-inference-extension.name" . }}
+---


just making sure, was the helm chart tested and verified it's working?

I tested it again and encountered some issues. Opened #1274 to fix them.

…bernetes-sigs#1071) * fix: split EPP RBAC into cluster and namespaced scoped permission Signed-off-by: Ernest Wong <[email protected]> * New API group Signed-off-by: Ernest Wong <[email protected]> --------- Signed-off-by: Ernest Wong <[email protected]>

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 26, 2025

k8s-ci-robot requested review from danehans and nirrozenbaum June 26, 2025 04:17

k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 26, 2025

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 26, 2025

chewong force-pushed the fix-224 branch from af8cc85 to 49432c8 Compare June 26, 2025 17:47

nirrozenbaum reviewed Jun 26, 2025

View reviewed changes

test/testdata/inferencepool-e2e.yaml Outdated Show resolved Hide resolved

chewong force-pushed the fix-224 branch from 5a260f9 to b831ac6 Compare June 26, 2025 18:16

chewong force-pushed the fix-224 branch from b831ac6 to 4095b61 Compare June 26, 2025 18:17

chewong requested a review from nirrozenbaum June 26, 2025 19:10

k8s-ci-robot assigned danehans Jun 27, 2025

k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jun 27, 2025

chewong mentioned this pull request Jul 1, 2025

chore: add kind/breaking-change label to Gateway API Inference Extension kubernetes/test-infra#35069

Open

nirrozenbaum added the release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. label Jul 7, 2025

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 15, 2025

chewong force-pushed the fix-224 branch from f66c3b6 to b77dcea Compare July 15, 2025 19:23

k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 15, 2025

chewong force-pushed the fix-224 branch from b77dcea to 4bb270d Compare July 17, 2025 21:36

k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 17, 2025

fix: split EPP RBAC into cluster and namespaced scoped permission

ccaa5e5

Signed-off-by: Ernest Wong <[email protected]>

chewong force-pushed the fix-224 branch from 4bb270d to ccaa5e5 Compare July 29, 2025 19:35

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 29, 2025

New API group

6524475

Signed-off-by: Ernest Wong <[email protected]>

k8s-ci-robot assigned ahg-g Jul 31, 2025

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 31, 2025

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 31, 2025

nirrozenbaum reviewed Jul 31, 2025

View reviewed changes

k8s-ci-robot merged commit 62b5e60 into kubernetes-sigs:main Jul 31, 2025
9 checks passed

chewong deleted the fix-224 branch July 31, 2025 18:26

chewong mentioned this pull request Jul 31, 2025

fix: update RBAC and mirror InferencePool with v1alpha2 API version #1274

Open

kfswain mentioned this pull request Aug 3, 2025

adding fairness-id header to be used in flow control #1282

Merged

fix: split EPP RBAC into cluster and namespaced scoped permission #1071

fix: split EPP RBAC into cluster and namespaced scoped permission #1071

Uh oh!

Conversation

chewong commented Jun 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

netlify bot commented Jun 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for gateway-api-inference-extension ready!

Uh oh!

nirrozenbaum commented Jun 26, 2025

Uh oh!

Uh oh!

danehans commented Jun 26, 2025

Uh oh!

danehans commented Jun 27, 2025

Uh oh!

danehans commented Jun 27, 2025

Uh oh!

danehans commented Jun 27, 2025

Uh oh!

nirrozenbaum commented Jun 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kfswain commented Jun 30, 2025

Uh oh!

chewong commented Jul 1, 2025

Uh oh!

ahg-g commented Jul 8, 2025

Uh oh!

chewong commented Jul 8, 2025

Uh oh!

chewong commented Jul 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ahg-g commented Jul 31, 2025

Uh oh!

k8s-ci-robot commented Jul 31, 2025

Uh oh!

nirrozenbaum Jul 31, 2025

Choose a reason for hiding this comment

Uh oh!

chewong Jul 31, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

chewong commented Jun 26, 2025 •

edited

Loading

netlify bot commented Jun 26, 2025 •

edited

Loading

nirrozenbaum commented Jun 29, 2025 •

edited

Loading

chewong commented Jul 29, 2025 •

edited

Loading