Merge pull request #1245 from NVIDIA/rbac-improvements

RBAC improvements
NVIDIA · Jan 31, 2025 · 423734e · 423734e
2 parents 93f0ca3 + 623aab6
commit 423734e
Show file tree

Hide file tree

Showing 18 changed files with 118 additions and 86 deletions.
diff --git a/assets/state-driver/0210_clusterrole.yaml b/assets/state-driver/0210_clusterrole.yaml
@@ -24,14 +24,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml b/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml
@@ -660,7 +660,6 @@ spec:
           verbs:
           - get
           - list
-          - create
           - watch
           - update
           - patch
@@ -678,8 +677,6 @@ spec:
           - ""
           resources:
           - events
-          - pods
-          - pods/eviction
           verbs:
           - create
           - get
@@ -688,6 +685,20 @@ spec:
           - update
           - patch
           - delete
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - pods/eviction
+          verbs:
+          - create
         - apiGroups:
           - apps
           resources:

diff --git a/deployments/gpu-operator/templates/clusterrole.yaml b/deployments/gpu-operator/templates/clusterrole.yaml
@@ -66,24 +66,33 @@ rules:
   verbs:
   - get
   - list
-  - create
   - watch
   - update
   - patch
 - apiGroups:
   - ""
   resources:
   - events
-  - pods
-  - pods/eviction
   verbs:
   - create
   - get
   - list
   - watch
-  - update
-  - patch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/deployments/gpu-operator/templates/clusterrolebinding.yaml b/deployments/gpu-operator/templates/clusterrolebinding.yaml
@@ -9,9 +9,6 @@ subjects:
 - kind: ServiceAccount
   name: gpu-operator
   namespace: {{ $.Release.Namespace }}
-- kind: ServiceAccount
-  name: node-feature-discovery
-  namespace: {{ $.Release.Namespace }}
 roleRef:
   kind: ClusterRole
   name: gpu-operator

diff --git a/internal/state/testdata/golden/driver-additional-configs.yaml b/internal/state/testdata/golden/driver-additional-configs.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-full-spec.yaml b/internal/state/testdata/golden/driver-full-spec.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-gdrcopy-openshift.yaml b/internal/state/testdata/golden/driver-gdrcopy-openshift.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-gdrcopy.yaml b/internal/state/testdata/golden/driver-gdrcopy.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-gds.yaml b/internal/state/testdata/golden/driver-gds.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-minimal.yaml b/internal/state/testdata/golden/driver-minimal.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-openshift-drivertoolkit.yaml b/internal/state/testdata/golden/driver-openshift-drivertoolkit.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-precompiled.yaml b/internal/state/testdata/golden/driver-precompiled.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-rdma-hostmofed.yaml b/internal/state/testdata/golden/driver-rdma-hostmofed.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-rdma.yaml b/internal/state/testdata/golden/driver-rdma.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-vgpu-host-manager-openshift.yaml b/internal/state/testdata/golden/driver-vgpu-host-manager-openshift.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-vgpu-host-manager.yaml b/internal/state/testdata/golden/driver-vgpu-host-manager.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:

diff --git a/internal/state/testdata/golden/driver-vgpu-licensing.yaml b/internal/state/testdata/golden/driver-vgpu-licensing.yaml
@@ -45,14 +45,15 @@ rules:
   - ""
   resources:
   - pods
-  - pods/eviction
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources: