Merge pull request #749 from NVIDIA/cc-mgr-vgpu-dm-rbac

tariq1890 · web-flow · commit 234f61b69fa4 · 2024-06-12T09:17:08.000-07:00
[CC Mgr VGPU Device Mgr] move pods access permissions from ClusterRole to Role
diff --git a/assets/state-cc-manager/0200_role.yaml b/assets/state-cc-manager/0200_role.yaml
@@ -12,3 +12,11 @@ rules:
   - use
   resourceNames:
   - privileged
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/assets/state-cc-manager/0210_clusterrole.yaml b/assets/state-cc-manager/0210_clusterrole.yaml
@@ -7,7 +7,6 @@ rules:
   - ""
   resources:
   - nodes
-  - pods
   verbs:
   - get
   - list
diff --git a/assets/state-vgpu-device-manager/0200_role.yaml b/assets/state-vgpu-device-manager/0200_role.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: nvidia-vgpu-device-manager
+  namespace: "FILLED BY THE OPERATOR"
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+  resourceNames:
+  - privileged
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/assets/state-vgpu-device-manager/0210_clusterrole.yaml b/assets/state-vgpu-device-manager/0210_clusterrole.yaml
@@ -14,8 +14,6 @@ rules:
   - ""
   resources:
   - nodes
-  - pods
-  - pods/eviction
   verbs:
   - get
   - list
diff --git a/assets/state-vgpu-device-manager/0300_rolebinding.yaml b/assets/state-vgpu-device-manager/0300_rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: nvidia-vgpu-device-manager
+  namespace: "FILLED BY THE OPERATOR"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nvidia-vgpu-device-manager
+subjects:
+- kind: ServiceAccount
+  name: nvidia-vgpu-device-manager
+  namespace: "FILLED BY THE OPERATOR"

-Original file line number
+Diff line change
   - ""
   resources:
   - nodes
 -  - pods
   verbs:
   - get
   - list