diff --git a/examples/v1beta1/argo/README.md b/examples/v1beta1/argo/README.md index d463a5286c0..2e9d475111e 100644 --- a/examples/v1beta1/argo/README.md +++ b/examples/v1beta1/argo/README.md @@ -65,14 +65,18 @@ with the appropriate permission: resources: - workflows verbs: - - "*" + - "get" + - "list" + - "watch" + - "create" + - "delete" ``` Run the following command to update Katib ClusterRole: ```bash kubectl patch ClusterRole katib-controller -n kubeflow --type=json \ - -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["argoproj.io"],"resources":["workflows"],"verbs":["*"]}}]' + -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["argoproj.io"],"resources":["workflows"],"verbs":["get", "list", "watch", "create", "delete"]}}]' ``` In addition to that, you have to modify Katib diff --git a/examples/v1beta1/tekton/README.md b/examples/v1beta1/tekton/README.md index 6d368729b1a..8d5833a2271 100644 --- a/examples/v1beta1/tekton/README.md +++ b/examples/v1beta1/tekton/README.md @@ -70,14 +70,18 @@ with the appropriate permission: - pipelineruns - taskruns verbs: - - "*" + - "get" + - "list" + - "watch" + - "create" + - "delete" ``` Run the following command to update Katib ClusterRole: ```bash kubectl patch ClusterRole katib-controller -n kubeflow --type=json \ - -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["tekton.dev"],"resources":["pipelineruns", "taskruns"],"verbs":["*"]}}]' + -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["tekton.dev"],"resources":["pipelineruns", "taskruns"],"verbs":["get", "list", "watch", "create", "delete"]}}]' ``` In addition to that, you have to modify Katib diff --git a/manifests/v1beta1/components/controller/rbac.yaml b/manifests/v1beta1/components/controller/rbac.yaml index f6adc65b171..68db66b5589 100644 --- a/manifests/v1beta1/components/controller/rbac.yaml +++ b/manifests/v1beta1/components/controller/rbac.yaml @@ -7,39 +7,93 @@ rules: - apiGroups: - "" resources: - - configmaps - - serviceaccounts - services + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - "" + resources: - events - - namespaces + verbs: + - "create" + - "patch" + - "update" + - apiGroups: + - "" + resources: + - serviceaccounts - persistentvolumes - persistentvolumeclaims + verbs: + - "get" + - "list" + - "watch" + - "create" + - apiGroups: + - "" + resources: + - namespaces + - configmaps + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "" + resources: - pods - - pods/log - pods/status - - secrets verbs: - - "*" + - "get" - apiGroups: - apps resources: - deployments verbs: - - "*" + - "get" + - "list" + - "watch" + - "create" + - "delete" - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings verbs: - - "*" + - "get" + - "create" + - "list" + - "watch" - apiGroups: - batch resources: - jobs - cronjobs verbs: - - "*" + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - kubeflow.org + resources: + - tfjobs + - pytorchjobs + - mpijobs + - xgboostjobs + - mxjobs + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" - apiGroups: - kubeflow.org resources: @@ -52,11 +106,6 @@ rules: - suggestions - suggestions/status - suggestions/finalizers - - tfjobs - - pytorchjobs - - mpijobs - - xgboostjobs - - mxjobs verbs: - "*" ---