ome
ome copied to clipboard
Published
1 week ago
•
sgl-project
sgl-project
Task 6: RBAC and Kubernetes Manifests
Task 6: RBAC and Kubernetes Manifests
Overview
Create and update Kubernetes manifests for RBAC permissions, ServiceAccounts, and other resources needed for PVC storage support.
Scope
- Create ServiceAccount for metadata extraction jobs
- Define RBAC roles and bindings
- Update existing controller RBAC for job management
- Create example PVC and BaseModel manifests
Files to Create/Modify
config/rbac/model_metadata_extractor_role.yaml- New fileconfig/rbac/model_metadata_extractor_binding.yaml- New fileconfig/rbac/model_metadata_service_account.yaml- New fileconfig/rbac/role.yaml- Update existing controller permissionsexamples/pvc-storage/- New directory with examples
Implementation Details
ServiceAccount for Metadata Extractor
Create config/rbac/model_metadata_service_account.yaml:
- ServiceAccount named
ome-model-metadata-extractor - Deploy in
ome-systemnamespace - Add appropriate labels for identification
RBAC Role for Metadata Extractor
Create config/rbac/model_metadata_extractor_role.yaml with permissions to:
- Read BaseModel and ClusterBaseModel resources
- Update BaseModel and ClusterBaseModel (for metadata updates)
- Read PVCs to verify they exist
- Create events for auditing
RBAC RoleBinding
Create config/rbac/model_metadata_extractor_binding.yaml:
- Bind the metadata extractor role to the service account
- Use ClusterRoleBinding for cross-namespace access
Update Controller RBAC
Update config/rbac/role.yaml to add permissions for:
- Creating and managing Kubernetes Jobs
- Reading PVCs to verify storage
- Watching job status changes
Example Manifests
Example PVC with Model
Create examples/pvc-storage/model-pvc.yaml:
- PersistentVolumeClaim for storing model files
- Appropriate access modes (RWX for shared models, RWO for single-node)
- Sufficient storage capacity for model files
- Optional job example showing how to populate the PVC
Example BaseModel with PVC Storage
Create examples/pvc-storage/basemodel-pvc.yaml:
- BaseModel using
pvc://storage URI format - Shows both auto-populated and manual metadata options
- Includes proper model format specification
Example InferenceService using PVC Model
Create examples/pvc-storage/inferenceservice-pvc.yaml:
- InferenceService referencing a PVC-based BaseModel
- Appropriate runtime configuration
- Resource requirements for model serving
Example ClusterBaseModel with PVC
Create examples/pvc-storage/clusterbasemodel-pvc.yaml:
- ClusterBaseModel using PVC in cluster namespace
- Note about namespace requirements
- Shared model configuration
Kustomization Updates
Update config/rbac/kustomization.yaml to include:
- New ServiceAccount resource
- Metadata extractor role and binding
- Ensure proper resource ordering
Test Scenarios
-
RBAC Validation:
- Metadata extractor can read BaseModel/ClusterBaseModel
- Metadata extractor can update BaseModel/ClusterBaseModel
- Metadata extractor cannot delete resources
- Controller can create/manage jobs
-
Example Validation:
- Examples deploy successfully
- PVC gets mounted correctly
- Metadata extraction works
Acceptance Criteria
- [ ] ServiceAccount created for metadata extractor
- [ ] RBAC permissions are minimal but sufficient
- [ ] Controller can create and manage jobs
- [ ] Example manifests are clear and working
- [ ] Documentation includes usage instructions
- [ ] Kustomization files updated
Security Considerations
- Metadata extractor has minimal permissions
- Read-only access to PVCs
- No cross-namespace access
- Jobs run with non-root user (configure in container)
Dependencies
- All previous tasks (for testing the complete flow)
Estimated Effort
2-3 hours
