feat(backend): Less insane/insecure rbac rules

manifests/v1beta1/components/controller/rbac.yaml

@@ -3,46 +3,62 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: katib-controller
+# Please fix your infrastructure. A lot of workflows fail because of docker rate limits.
+# We only need the verb create and not delete because all things are owned transitively by the
+# experiment, so everything is cascade-deleted on experiment deletion.
+# Early stopping currently creates a serviceaccount, role and rolebinding to manage trials and trails/status.
+# The roles and rolebinding creation is the most important potential security issue now.
+# Via new roles, rolebindings and pods in kubernetes system namespaces the cluster 
+# could become compromised if katib-controller is compromised.
 rules:
   - apiGroups:
       - ""
-    resources:
-      - configmaps
-      - serviceaccounts
-      - services
-      - events
-      - namespaces
-      - persistentvolumes
-      - persistentvolumeclaims
-      - pods
-      - pods/log
-      - pods/status
-      - secrets
-    verbs:
-      - "*"
-  - apiGroups:
       - apps
+      - rbac.authorization.k8s.io
     resources:
-      - deployments
+      - services # suggestion-api and earlystopping-api
+      - events # katib cries is you remove it for unknown reasons
+      - persistentvolumeclaims # maybe katib creates volumes, i am not sure
+      - deployments # the main deployment that serves suggestion-api and earlystopping-api
+      - pods # maybe to tfjobs etc. I  am not sure
+      - pods/log # maybe to tfjobs etc. I  am not sure
+      - pods/status # maybe to tfjobs etc. I  am not sure
+      - jobs # trials are executed via jobs
+      - cronjobs # i do not know why it is there. maybe you can delay trials
+      - serviceaccounts # earlystopping
+      - roles # earlystopping
+      - rolebindings # earlystopping
     verbs:
-      - "*"
+      - get
+      - list
+      - watch
+      - patch
+      - create
   - apiGroups:
-      - rbac.authorization.k8s.io
+      - batch
     resources:
-      - roles
-      - rolebindings
+      - jobs # trials are executed via jobs
+      - cronjobs # i do not know why it is there. maybe you can delay trials
     verbs:
-      - "*"
+      - get
+      - list
+      - watch
+      - patch
+      - create
+      - delete # this is essential
   - apiGroups:
-      - batch
+      - ""
     resources:
-      - jobs
-      - cronjobs
+      - configmaps # i do not have a clue
+      - persistentvolumes # i do not have a clue
+      - namespaces 
     verbs:
-      - "*"
+      - get
+      - list
+      - watch
   - apiGroups:
       - kubeflow.org
-    resources:
+    resources: # everything here is obvious
       - experiments
       - experiments/status
       - experiments/finalizers

manifests/v1beta1/components/ui/rbac.yaml

@@ -10,7 +10,9 @@ rules:
       - configmaps
       - namespaces
     verbs:
-      - "*"
+      - get
+      - list
+      - watch
   - apiGroups:
       - kubeflow.org
     resources: