Skip to content

Commit 592b649

Browse files
ChenYi015ChenYi015
authored
Create role and rolebinding for controller/webhook in every spark job namespace if not watching all namespaces (#2129)
watching all namespaces Signed-off-by: Yi Chen <[email protected]>
1 parent 62b4ca6 commit 592b649

File tree

8 files changed

+546
-149
lines changed

8 files changed

+546
-149
lines changed

charts/spark-operator-chart/templates/controller/_helpers.tpl

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,34 @@ Create the name of the service account to be used by the controller
4848
{{- end -}}
4949
{{- end -}}
5050

51+
{{/*
52+
Create the name of the cluster role to be used by the controller
53+
*/}}
54+
{{- define "spark-operator.controller.clusterRoleName" -}}
55+
{{ include "spark-operator.controller.name" . }}
56+
{{- end }}
57+
58+
{{/*
59+
Create the name of the cluster role binding to be used by the controller
60+
*/}}
61+
{{- define "spark-operator.controller.clusterRoleBindingName" -}}
62+
{{ include "spark-operator.controller.clusterRoleName" . }}
63+
{{- end }}
64+
65+
{{/*
66+
Create the name of the role to be used by the controller
67+
*/}}
68+
{{- define "spark-operator.controller.roleName" -}}
69+
{{ include "spark-operator.controller.name" . }}
70+
{{- end }}
71+
72+
{{/*
73+
Create the name of the role binding to be used by the controller
74+
*/}}
75+
{{- define "spark-operator.controller.roleBindingName" -}}
76+
{{ include "spark-operator.controller.roleName" . }}
77+
{{- end }}
78+
5179
{{/*
5280
Create the name of the deployment to be used by controller
5381
*/}}
@@ -68,3 +96,88 @@ Create the name of the pod disruption budget to be used by controller
6896
{{- define "spark-operator.controller.podDisruptionBudgetName" -}}
6997
{{ include "spark-operator.controller.name" . }}-pdb
7098
{{- end -}}
99+
100+
{{/*
101+
Create the role policy rules for the controller in every Spark job namespace
102+
*/}}
103+
{{- define "spark-operator.controller.policyRules" -}}
104+
- apiGroups:
105+
- ""
106+
resources:
107+
- pods
108+
verbs:
109+
- get
110+
- list
111+
- watch
112+
- create
113+
- update
114+
- patch
115+
- delete
116+
- deletecollection
117+
- apiGroups:
118+
- ""
119+
resources:
120+
- configmaps
121+
verbs:
122+
- get
123+
- create
124+
- update
125+
- patch
126+
- delete
127+
- apiGroups:
128+
- ""
129+
resources:
130+
- services
131+
verbs:
132+
- get
133+
- list
134+
- watch
135+
- create
136+
- update
137+
- patch
138+
- delete
139+
- apiGroups:
140+
- extensions
141+
- networking.k8s.io
142+
resources:
143+
- ingresses
144+
verbs:
145+
- get
146+
- create
147+
- delete
148+
- apiGroups:
149+
- sparkoperator.k8s.io
150+
resources:
151+
- sparkapplications
152+
- scheduledsparkapplications
153+
verbs:
154+
- get
155+
- list
156+
- watch
157+
- create
158+
- update
159+
- patch
160+
- delete
161+
- apiGroups:
162+
- sparkoperator.k8s.io
163+
resources:
164+
- sparkapplications/status
165+
- sparkapplications/finalizers
166+
- scheduledsparkapplications/status
167+
- scheduledsparkapplications/finalizers
168+
verbs:
169+
- get
170+
- update
171+
- patch
172+
{{- if .Values.controller.batchScheduler.enable }}
173+
{{/* required for the `volcano` batch scheduler */}}
174+
- apiGroups:
175+
- scheduling.incubator.k8s.io
176+
- scheduling.sigs.dev
177+
- scheduling.volcano.sh
178+
resources:
179+
- podgroups
180+
verbs:
181+
- "*"
182+
{{- end }}
183+
{{- end -}}

charts/spark-operator-chart/templates/controller/rbac.yaml

Lines changed: 60 additions & 102 deletions
Original file line numberDiff line numberDiff line change
@@ -18,58 +18,15 @@ limitations under the License.
1818
apiVersion: rbac.authorization.k8s.io/v1
1919
kind: ClusterRole
2020
metadata:
21-
name: {{ include "spark-operator.controller.name" . }}
21+
name: {{ include "spark-operator.controller.clusterRoleName" . }}
22+
namespace: {{ .Release.Namespace }}
2223
labels:
2324
{{- include "spark-operator.controller.labels" . | nindent 4 }}
2425
{{- with .Values.controller.rbac.annotations }}
2526
annotations:
2627
{{- toYaml . | nindent 4 }}
2728
{{- end }}
2829
rules:
29-
- apiGroups:
30-
- ""
31-
resources:
32-
- pods
33-
verbs:
34-
- get
35-
- list
36-
- watch
37-
- create
38-
- update
39-
- patch
40-
- delete
41-
- deletecollection
42-
- apiGroups:
43-
- ""
44-
resources:
45-
- configmaps
46-
verbs:
47-
- get
48-
- create
49-
- update
50-
- patch
51-
- delete
52-
- apiGroups:
53-
- ""
54-
resources:
55-
- services
56-
verbs:
57-
- get
58-
- list
59-
- watch
60-
- create
61-
- update
62-
- patch
63-
- delete
64-
- apiGroups:
65-
- extensions
66-
- networking.k8s.io
67-
resources:
68-
- ingresses
69-
verbs:
70-
- get
71-
- create
72-
- delete
7330
- apiGroups:
7431
- ""
7532
resources:
@@ -90,63 +47,16 @@ rules:
9047
- customresourcedefinitions
9148
verbs:
9249
- get
93-
- apiGroups:
94-
- sparkoperator.k8s.io
95-
resources:
96-
- sparkapplications
97-
- scheduledsparkapplications
98-
verbs:
99-
- get
100-
- list
101-
- watch
102-
- create
103-
- update
104-
- patch
105-
- delete
106-
- apiGroups:
107-
- sparkoperator.k8s.io
108-
resources:
109-
- sparkapplications/status
110-
- scheduledsparkapplications/status
111-
verbs:
112-
- get
113-
- update
114-
- patch
115-
- apiGroups:
116-
- sparkoperator.k8s.io
117-
resources:
118-
- sparkapplications/finalizers
119-
- scheduledsparkapplications/finalizers
120-
verbs:
121-
- update
122-
{{- if .Values.controller.batchScheduler.enable }}
123-
{{/* required for the `volcano` batch scheduler */}}
124-
- apiGroups:
125-
- scheduling.incubator.k8s.io
126-
- scheduling.sigs.dev
127-
- scheduling.volcano.sh
128-
resources:
129-
- podgroups
130-
verbs:
131-
- "*"
132-
- apiGroups:
133-
- scheduling.x-k8s.io
134-
resources:
135-
- podgroups
136-
verbs:
137-
- get
138-
- list
139-
- watch
140-
- create
141-
- update
142-
- delete
50+
{{- if not .Values.spark.jobNamespaces | or (has "" .Values.spark.jobNamespaces) }}
51+
{{ include "spark-operator.controller.policyRules" . }}
14352
{{- end }}
14453
---
14554

14655
apiVersion: rbac.authorization.k8s.io/v1
14756
kind: ClusterRoleBinding
14857
metadata:
149-
name: {{ include "spark-operator.controller.name" . }}
58+
name: {{ include "spark-operator.controller.clusterRoleBindingName" . }}
59+
namespace: {{ .Release.Namespace }}
15060
labels:
15161
{{- include "spark-operator.controller.labels" . | nindent 4 }}
15262
{{- with .Values.controller.rbac.annotations }}
@@ -160,13 +70,14 @@ subjects:
16070
roleRef:
16171
apiGroup: rbac.authorization.k8s.io
16272
kind: ClusterRole
163-
name: {{ include "spark-operator.controller.name" . }}
164-
73+
name: {{ include "spark-operator.controller.clusterRoleName" . }}
16574
---
75+
16676
apiVersion: rbac.authorization.k8s.io/v1
16777
kind: Role
16878
metadata:
169-
name: {{ include "spark-operator.controller.name" . }}
79+
name: {{ include "spark-operator.controller.roleName" . }}
80+
namespace: {{ .Release.Namespace }}
17081
labels:
17182
{{- include "spark-operator.controller.labels" . | nindent 4 }}
17283
{{- with .Values.controller.rbac.annotations }}
@@ -189,12 +100,16 @@ rules:
189100
verbs:
190101
- get
191102
- update
192-
103+
{{- if has .Release.Namespace .Values.spark.jobNamespaces }}
104+
{{ include "spark-operator.controller.policyRules" . }}
105+
{{- end }}
193106
---
107+
194108
apiVersion: rbac.authorization.k8s.io/v1
195109
kind: RoleBinding
196110
metadata:
197-
name: {{ include "spark-operator.controller.name" . }}
111+
name: {{ include "spark-operator.controller.roleBindingName" . }}
112+
namespace: {{ .Release.Namespace }}
198113
labels:
199114
{{- include "spark-operator.controller.labels" . | nindent 4 }}
200115
{{- with .Values.controller.rbac.annotations }}
@@ -208,5 +123,48 @@ subjects:
208123
roleRef:
209124
apiGroup: rbac.authorization.k8s.io
210125
kind: Role
211-
name: {{ include "spark-operator.controller.name" . }}
126+
name: {{ include "spark-operator.controller.roleName" . }}
127+
128+
{{- if and .Values.spark.jobNamespaces (not (has "" .Values.spark.jobNamespaces)) }}
129+
{{- range $jobNamespace := .Values.spark.jobNamespaces }}
130+
{{- if ne $jobNamespace $.Release.Namespace }}
131+
---
132+
133+
apiVersion: rbac.authorization.k8s.io/v1
134+
kind: Role
135+
metadata:
136+
name: {{ include "spark-operator.controller.roleName" $ }}
137+
namespace: {{ $jobNamespace }}
138+
labels:
139+
{{- include "spark-operator.controller.labels" $ | nindent 4 }}
140+
{{- with $.Values.controller.rbac.annotations }}
141+
annotations:
142+
{{- toYaml . | nindent 4 }}
143+
{{- end }}
144+
rules:
145+
{{ include "spark-operator.controller.policyRules" $ }}
146+
---
147+
148+
apiVersion: rbac.authorization.k8s.io/v1
149+
kind: RoleBinding
150+
metadata:
151+
name: {{ include "spark-operator.controller.roleBindingName" $ }}
152+
namespace: {{ $jobNamespace }}
153+
labels:
154+
{{- include "spark-operator.controller.labels" $ | nindent 4 }}
155+
{{- with $.Values.controller.rbac.annotations }}
156+
annotations:
157+
{{- toYaml . | nindent 4 }}
158+
{{- end }}
159+
subjects:
160+
- kind: ServiceAccount
161+
name: {{ include "spark-operator.controller.serviceAccountName" $ }}
162+
namespace: {{ $.Release.Namespace }}
163+
roleRef:
164+
apiGroup: rbac.authorization.k8s.io
165+
kind: Role
166+
name: {{ include "spark-operator.controller.roleName" $ }}
167+
{{- end }}
168+
{{- end }}
169+
{{- end }}
212170
{{- end }}

charts/spark-operator-chart/templates/controller/serviceaccount.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ apiVersion: v1
1919
kind: ServiceAccount
2020
metadata:
2121
name: {{ include "spark-operator.controller.serviceAccountName" . }}
22+
namespace: {{ .Release.Namespace }}
2223
labels:
2324
{{- include "spark-operator.controller.labels" . | nindent 4 }}
2425
{{- with .Values.controller.serviceAccount.annotations }}

0 commit comments

Comments
 (0)