-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] [RHOAIENG-11010] Use a more secure role for KServe InferenceService access #3198
base: main
Are you sure you want to change the base?
Conversation
…r KServe Signed-off-by: Mike Turley <[email protected]>
Signed-off-by: Mike Turley <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Mike Turley <[email protected]>
Signed-off-by: gitdallas <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3198 +/- ##
==========================================
+ Coverage 85.26% 85.33% +0.06%
==========================================
Files 1258 1271 +13
Lines 27689 27925 +236
Branches 7372 7428 +56
==========================================
+ Hits 23609 23829 +220
- Misses 4080 4096 +16
... and 50 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
}, | ||
rules: [ | ||
{ | ||
verbs: ['get'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To add this role we need to add to the serviceaccount cluster role the following capability:
- apiGroups:
- serving.kserve.io
resources:
- inferenceservices
verbs:
- get
- list
- watch
Resolves https://issues.redhat.com/browse/RHOAIENG-11010
Description
See comments on Jira issue for implementation details. When setting up token auth for KServe models, instead of giving their ServiceAccounts a binding to the ClusterRole "view", we create a new role for them to get only InferenceServices in their own namespace. This PR also adds logic to replace the old rolebindings on users' clusters with the replaced more secure ones.
How Has This Been Tested?
WIP - need to test on a cluster, opening the PR to get an image
Test Impact
setUpTokenAuth
to account for creating / not creating the new roleRequest review criteria:
Self checklist (all need to be checked):
If you have UI changes:
After the PR is posted & before it merges:
main