dragon
/
argocd-example-apps
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Example Apps to Demonstrate Argo CD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 Commits
1 Branch
8 Tags
1.1 MiB
 
 
Tree: 2e7344a75f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2e7344a75f'
${ noResults }
argocd-example-apps/kustomize/kubeflow-roles
arun-vc 2e7344a75f
volvo-kustomize added 		5 years ago
..
base volvo-kustomize added 5 years ago
OWNERS volvo-kustomize added 5 years ago
README.md volvo-kustomize added 5 years ago
kustomization.yaml volvo-kustomize added 5 years ago

README.md

Default Kubeflow ClusterRoles

This manifest package contains the default ClusterRoles Kubeflow uses for defining roles for Kubeflow user Profiles. These roles are currently assigned to users by Profiles (profile-controller and kfam) Service with the help of Manage Users page in Central Dashboard.

Note: kfctl assigns the default Kubernetes role cluster-admin to the user who deploys Kubeflow for the GCP IAP configuration.

How to define role privileges for your Kubeflow application?

Each application defines its own ClusterRole for each role here in kubeflow-roles. We use ClusterRole Aggregation for these application ClusterRoles to be aggregated to their corresponding Kubeflow roles. An example implementation showing the same can be found here:

The example is taken from istio manifests.

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeflow-istio-admin
  labels:
    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
rules: []

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeflow-istio-edit
  labels:
    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
rules:
- apiGroups: ["istio.io"]
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - deletecollection
  - patch
  - update

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeflow-istio-view
  labels:
    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
rules:
- apiGroups: ["istio.io"]
  resources: ["*"]
  verbs:
  - get
  - list
  - watch

Note the usage of labels in each ClusterRole to indicate ClusterRole Aggregation with Kubeflow ClusterRoles for this application.

Reference Links