feat: add aggregated label to cluster role #50
Conversation
j4ckstraw
force-pushed
the
add-aggregate-labels-to-cluster-role
branch
from
a1cb0cf to
b4f6e22
Compare
j4ckstraw
force-pushed
the
add-aggregate-labels-to-cluster-role
branch
from
b4f6e22 to
ac54307
Compare
There was a problem hiding this comment.
merge viewer and editor into one file, make it more clear and tidy
| metadata: | ||
| name: raycluster-viewer-role | ||
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-view: "true" |
There was a problem hiding this comment.
according to https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L290C1-L291C1, and https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L280 view clusterrole will aggregated to edit clusterrole, and edit clusterrole will aggregated to admin clusterrole, so only rbac.authorization.k8s.io/aggregate-to-view is enough.
| - ray.io | ||
| resources: | ||
| - rayjobs | ||
| - rayjobs/status |
There was a problem hiding this comment.
only operator can update/patch status subresource.
j4ckstraw
force-pushed
the
add-aggregate-labels-to-cluster-role
branch
2 times, most recently
from
115b6fe to
31ec5fc
Compare
|
@kevin85421 @andrewsykim hello, Do you have time to take a look? |
Signed-off-by: j4ckstraw <[email protected]>
j4ckstraw
force-pushed
the
add-aggregate-labels-to-cluster-role
branch
from
31ec5fc to
ce8505f
Compare
|
Hi @j4ckstraw, this repository is only updated whenever KubeRay is released. Could you open the PR on the KubeRay repository instead? |
fix #48
see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings