Add RBAC for the flowcontrol.apiserver.k8s.io (kubernetes#1431)

* Add RBAC for the flowcontrol.apiserver.k8s.io Signed-off-by: tenzen-y <yuki.iwai.tz@gmail.com> * Update Helm manifests Signed-off-by: tenzen-y <yuki.iwai.tz@gmail.com> --------- Signed-off-by: tenzen-y <yuki.iwai.tz@gmail.com>
yaroslava-serdiuk · Dec 11, 2023 · 53d4b65 · 53d4b65
1 parent 7f6ff7e
commit 53d4b65
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -111,7 +111,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 	$(CONTROLLER_GEN) \
 		rbac:roleName=manager-role output:rbac:artifacts:config=config/components/rbac\
 		webhook output:webhook:artifacts:config=config/components/webhook\
-		paths="./pkg/controller/...;./pkg/webhooks/...;./pkg/util/cert/..."
+		paths="./pkg/controller/...;./pkg/webhooks/...;./pkg/util/cert/...;./pkg/visibility/..."
 
 .PHONY: update-helm
 update-helm: manifests yq

diff --git a/apis/visibility/v1alpha1/openapi/doc.go b/apis/visibility/v1alpha1/openapi/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// To avoid the following error from controller-gen, we need to have this file.
+// "-: build constraints exclude all Go files in /home/prow/go/src/sigs.k8s.io/kueue/apis/visibility/v1alpha1/openapi"
+
+package openapi
diff --git a/charts/kueue/templates/rbac/role.yaml b/charts/kueue/templates/rbac/role.yaml
@@ -127,6 +127,18 @@ rules:
     verbs:
       - get
       - update
+  - apiGroups:
+      - flowcontrol.apiserver.k8s.io
+    resources:
+      - flowschemas
+    verbs:
+      - list
+  - apiGroups:
+      - flowcontrol.apiserver.k8s.io
+    resources:
+      - prioritylevelconfigurations
+    verbs:
+      - list
   - apiGroups:
       - jobset.x-k8s.io
     resources:

diff --git a/config/components/rbac/role.yaml b/config/components/rbac/role.yaml
@@ -128,6 +128,18 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  verbs:
+  - list
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - prioritylevelconfigurations
+  verbs:
+  - list
 - apiGroups:
   - jobset.x-k8s.io
   resources:

diff --git a/pkg/visibility/server.go b/pkg/visibility/server.go
@@ -41,6 +41,9 @@ type server struct {
 	*genericapiserver.GenericAPIServer
 }
 
+// +kubebuilder:rbac:groups=flowcontrol.apiserver.k8s.io,resources=prioritylevelconfigurations,verbs=list
+// +kubebuilder:rbac:groups=flowcontrol.apiserver.k8s.io,resources=flowschemas,verbs=list
+
 // CreateAndStartVisibilityServer creates visibility server injecting KueueManager and starts it
 func CreateAndStartVisibilityServer(kueueMgr *queue.Manager, ctx context.Context) {
 	config := newVisibilityServerConfig()