2.2 KiB
Default Kubeflow ClusterRoles
This manifest package contains the default ClusterRoles Kubeflow uses for defining roles for Kubeflow user Profiles. These roles are currently assigned to users by Profiles (profile-controller and kfam) Service with the help of Manage Users page in Central Dashboard.
Note: kfctl assigns the default Kubernetes role cluster-admin to the user who deploys Kubeflow for the GCP IAP configuration.
How to define role privileges for your Kubeflow application?
Each application defines its own ClusterRole for each role here in kubeflow-roles. We use ClusterRole Aggregation for these application ClusterRoles to be aggregated to their corresponding Kubeflow roles. An example implementation showing the same can be found here:
The example is taken from istio manifests.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-istio-admin
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-istio-edit
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
rules:
- apiGroups: ["istio.io"]
resources: ["*"]
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-istio-view
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
rules:
- apiGroups: ["istio.io"]
resources: ["*"]
verbs:
- get
- list
- watch
Note the usage of labels in each ClusterRole to indicate ClusterRole Aggregation with Kubeflow ClusterRoles for this application.