Remove unnecessary RBAC rule for mpijobs-admin*** #630
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
***Update cluster-role.yaml to remove the unnecessary RBAC rule for mpijobs-admin.*** Signed-off-by: Vishvajit Kher <[email protected]>
vishvajit79
force-pushed
the
remove-unnecessary-rbac-annot
branch
from
f5cf739
to
b3064b4
Compare
| @@ -126,7 +126,6 @@ metadata: | |||
| name: kubeflow-mpijobs-edit | |||
| labels: | |||
| rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" | |||
| rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true" | |||
There was a problem hiding this comment.
why remove this? An admin might need to perform edits in case of emergencies.
There was a problem hiding this comment.
If that's the case, then we should define rules for admin. Right now, rules for admin are empty array and when the admin annotation is added to edit clusterrole, it keeps overriding admin role. If we expect the admin to have slightly different role than edit then it would make sense to keep both otherwise I would suggest removing the admin role
There was a problem hiding this comment.
@terrytangyuan @rongou which practices are you following in the training-operator?
I don't have all the context to make a decision here.
There was a problem hiding this comment.
@alculquicondor IIRC, The training-operator doesn't use RBAC aggregations: https://github.com/kubeflow/training-operator/blob/2eff94ea8131879c7175ba6ae9e3d7d098f92f85/manifests/base/rbac/role.yaml
I guess that this setting seems to be only for the MPIJob v2.
There was a problem hiding this comment.
but these rules were added before we created the v2. So I'm not really sure what's the context.
There was a problem hiding this comment.
It makes sense. Actually, I also don't have any context...
There was a problem hiding this comment.
I don't see any relation to admin rule anywhere in the code. I think it is safe to delete all together but I'd leave that decision to you.
There was a problem hiding this comment.
Should we merge this PR? If not then I will close it
There was a problem hiding this comment.
Maybe @johnugeorge has some context of the original intent?
There was a problem hiding this comment.
I don't have context either. I wonder if it's for integration with UI or some other front-ends.
Update cluster-role.yaml to remove the unnecessary RBAC rule for mpijobs-admin.
Hello,
Thank you for reviewing this PR. I have removed the line
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true"from theclusterroleas it was overriding thekubeflow-mpijobs-adminrole with thekubeflow-mpijobs-editrole.To clarify, the
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-adminannotation is used to aggregate thekubeflow-mpijobs-adminrole to thekubeflow-mpijobsnamespace. However, the previous implementation of this annotation was overriding thekubeflow-mpijobs-adminrole with thekubeflow-mpijobs-editrole, which is more restrictive.By removing this line, we are restoring the intended behavior of the
kubeflow-mpijobs-adminrole, allowing users with this role to manage MPI jobs in thekubeflow-mpijobsnamespace.Thank you for your attention to this matter.