223 lines
4.5 KiB
YAML
223 lines
4.5 KiB
YAML
{{- if .Values.scheduling.userScheduler.enabled -}}
|
|
{{- if .Values.rbac.create -}}
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ include "jupyterhub.user-scheduler.fullname" . }}
|
|
labels:
|
|
{{- include "jupyterhub.labels" . | nindent 4 }}
|
|
rules:
|
|
# Copied from the system:kube-scheduler ClusterRole of the k8s version
|
|
# matching the kube-scheduler binary we use. A modification has been made to
|
|
# resourceName fields to remain relevant for how we have named our resources
|
|
# in this Helm chart.
|
|
#
|
|
# NOTE: These rules have been:
|
|
# - unchanged between 1.12 and 1.15
|
|
# - changed in 1.16
|
|
# - changed in 1.17
|
|
# - unchanged between 1.18 and 1.20
|
|
# - changed in 1.21: get/list/watch permission for namespace,
|
|
# csidrivers, csistoragecapacities was added.
|
|
# - unchanged between 1.22 and 1.27
|
|
# - changed in 1.28: permissions to get/update lock endpoint resource
|
|
# removed
|
|
# - unchanged between 1.28 and 1.30
|
|
# - (1.31 is known to bring some changes below)
|
|
#
|
|
# ref: https://github.com/kubernetes/kubernetes/blob/v1.30.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L721-L862
|
|
- apiGroups:
|
|
- ""
|
|
- events.k8s.io
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resourceNames:
|
|
- {{ include "jupyterhub.user-scheduler-lock.fullname" . }}
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- bindings
|
|
- pods/binding
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/status
|
|
verbs:
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- replicationcontrollers
|
|
- services
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- apps
|
|
- extensions
|
|
resources:
|
|
- replicasets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- statefulsets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- policy
|
|
resources:
|
|
- poddisruptionbudgets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- persistentvolumeclaims
|
|
- persistentvolumes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- authentication.k8s.io
|
|
resources:
|
|
- tokenreviews
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- authorization.k8s.io
|
|
resources:
|
|
- subjectaccessreviews
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
- csinodes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
- csidrivers
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
- csistoragecapacities
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
|
|
# Copied from the system:volume-scheduler ClusterRole of the k8s version
|
|
# matching the kube-scheduler binary we use.
|
|
#
|
|
# NOTE: These rules have not changed between 1.12 and 1.29.
|
|
#
|
|
# ref: https://github.com/kubernetes/kubernetes/blob/v1.29.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L1283-L1310
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- persistentvolumes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
- storageclasses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- persistentvolumeclaims
|
|
verbs:
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ include "jupyterhub.user-scheduler.fullname" . }}
|
|
labels:
|
|
{{- include "jupyterhub.labels" . | nindent 4 }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "jupyterhub.user-scheduler-serviceaccount.fullname" . }}
|
|
namespace: "{{ .Release.Namespace }}"
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: {{ include "jupyterhub.user-scheduler.fullname" . }}
|
|
apiGroup: rbac.authorization.k8s.io
|
|
{{- end }}
|
|
{{- end }}
|