mpi-operator icon indicating copy to clipboard operation
mpi-operator copied to clipboard

Published 20 hours ago verified publisher icon kubeflow

allow more flexible rbac of mpi jobs

Open rongou opened this issue 6 years ago • 4 comments

Right now we create a new Role/ServiceAccount/RoleBinding for every MPIJob. Should give cluster admin the option to reuse existing RBAC resources. Need to change to code and add params to the ksonnet prototype.

From @everpeace:

Sometimes, cluster-admin wanted to manage RBAC related resources on their own or to use existing service account. In the case, admins don't want to let the prototype create them. So,

How about introducing rbacCreate and serviceAccountName parameters?? It's popular way in helm packages. In this case, we need explicit guidance so that admins can refer to required roles when they choose rbacCreate=false.

rongou avatar Jun 21 '18 17:06 rongou

I deployed MPIJob using Role in my own namespaces however it failed,but when i used the clusterrole it succeed.My question is how to set RBAC in cluster when using MPIJob.

ldd91 avatar Dec 11 '18 02:12 ldd91

MPIJob is expanded StatefulSets and pods owned by the statefulsets run with the dedicated serviceaccount for the MPIJob, which is created in your namespace by MPI operator.

So, I believe that you just need permission to C-R-U-D for MPIJob CRDs.

everpeace avatar Dec 11 '18 02:12 everpeace

If you look at https://github.com/kubeflow/mpi-operator/blob/master/deploy/2-rbac.yaml, it shows all the permissions you need.

rongou avatar Dec 11 '18 02:12 rongou

Thank you for timely reply.I will have a try.@rongou @everpeace

ldd91 avatar Dec 11 '18 03:12 ldd91