From 181a1ec3beca89c87912eb394a429fc88aef73d3 Mon Sep 17 00:00:00 2001 From: David Grove Date: Tue, 3 Sep 2024 17:23:29 -0400 Subject: [PATCH] RBAC fix to enable slack cluster queue lending limit adjustment The codeflare operator needs permission to read and write clusterqueues to enable the AppWrapper controller to adjust the lending limit of a designated slack cluster queue to reflect cordoned nodes. --- config/rbac/role.yaml | 10 ++++++++++ pkg/controllers/appwrapper_controller.go | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 879d6bc8..598b4daf 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -168,6 +168,16 @@ rules: - patch - update - watch +- apiGroups: + - kueue.x-k8s.io + resources: + - clusterqueues + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - kueue.x-k8s.io resources: diff --git a/pkg/controllers/appwrapper_controller.go b/pkg/controllers/appwrapper_controller.go index f15a4ef2..c58516da 100644 --- a/pkg/controllers/appwrapper_controller.go +++ b/pkg/controllers/appwrapper_controller.go @@ -42,5 +42,6 @@ package controllers // +kubebuilder:rbac:groups=kueue.x-k8s.io,resources=resourceflavors,verbs=get;list;watch // +kubebuilder:rbac:groups=kueue.x-k8s.io,resources=workloadpriorityclasses,verbs=get;list;watch -// permission to watch nodes for Autopilot integration +// permission to watch nodes and edit clusterqueues for Autopilot integration //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch +//+kubebuilder:rbac:groups=kueue.x-k8s.io,resources=clusterqueues,verbs=get;list;watch;update;patch