From 2c451dd45345a1ea056bc35eb2b0e0edc32386d6 Mon Sep 17 00:00:00 2001
From: DanNiESh <sdanni@redhat.com>
Date: Wed, 3 Sep 2025 15:12:42 -0400
Subject: [PATCH] Update workbench roles

---
 gpu-class/cluster_queue_role.yaml         |  8 ----
 gpu-class/clusterrole.yaml                | 26 ++++++++++++
 gpu-class/clusterrolebinding.yaml         | 41 ++++++++++++++++++
 gpu-class/gpu-class-setup.sh              | 51 ++++++++++-------------
 gpu-class/notebook_resource.yaml          |  4 +-
 gpu-class/{rb.yaml => rbac_template.yaml} | 14 -------
 6 files changed, 90 insertions(+), 54 deletions(-)
 delete mode 100644 gpu-class/cluster_queue_role.yaml
 create mode 100644 gpu-class/clusterrole.yaml
 create mode 100644 gpu-class/clusterrolebinding.yaml
 rename gpu-class/{rb.yaml => rbac_template.yaml} (89%)

diff --git a/gpu-class/cluster_queue_role.yaml b/gpu-class/cluster_queue_role.yaml
deleted file mode 100644
index 9990cce..0000000
--- a/gpu-class/cluster_queue_role.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kueue-clusterqueue-reader
-rules:
-  - apiGroups: ["kueue.x-k8s.io"]
-    resources: ["clusterqueues"]
-    verbs: ["get", "list", "watch"]
diff --git a/gpu-class/clusterrole.yaml b/gpu-class/clusterrole.yaml
new file mode 100644
index 0000000..fdef5c2
--- /dev/null
+++ b/gpu-class/clusterrole.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kueue-clusterqueue-reader
+rules:
+  - apiGroups: ["kueue.x-k8s.io"]
+    resources: ["clusterqueues"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-reader
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
diff --git a/gpu-class/clusterrolebinding.yaml b/gpu-class/clusterrolebinding.yaml
new file mode 100644
index 0000000..3b2b1d0
--- /dev/null
+++ b/gpu-class/clusterrolebinding.yaml
@@ -0,0 +1,41 @@
+# CREATE KUEUE CLUSTER QUEUE READER CLUSTERROLE BINDING
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csw-kueue-clusterqueue-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kueue-clusterqueue-reader
+subjects:
+- kind: Group
+  name: cs599-pmpp
+  apiGroup: rbac.authorization.k8s.io
+---
+# CREATE POD READER CLUSTERROLE BINDING
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csw-pod-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-reader
+subjects:
+- kind: Group
+  name: cs599-pmpp
+  apiGroup: rbac.authorization.k8s.io
+---
+# CREATE NODE READER CLUSTERROLE BINDING
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csw-node-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-reader
+subjects:
+- kind: Group
+  name: cs599-pmpp
+  apiGroup: rbac.authorization.k8s.io
diff --git a/gpu-class/gpu-class-setup.sh b/gpu-class/gpu-class-setup.sh
index 098f94f..755b463 100755
--- a/gpu-class/gpu-class-setup.sh
+++ b/gpu-class/gpu-class-setup.sh
@@ -11,37 +11,15 @@ run_name="gpu_class_test"
 image_name="csw-dev-f25"
 
 create_wb() {
-    random_id=$(openssl rand -hex 3)
-
     #set namespace
     namespace=$1
 
-    username=$(oc -n "$ns" get rolebinding edit -o json \
-    | jq -r '
-        (.subjects // [])
-        | map(.name)
-        | map(select(. != "jappavoo-40bu-2edu"))
-        | map(select(. != "sdanni-40redhat-2com"))
-        | map(select(. != "istaplet"))
-        | .[]
-    ')
-
-    user=$(oc -n "$ns" get rolebinding edit -o json \
-    | jq -r '
-        (.subjects // [])
-        | map(.name
-            | if test("@.*\\..*$")
-                then sub("@"; "-40") | gsub("\\.";"-2")
-                else .
-                end)
-        | map(select(. != "jappavoo-40bu-2edu"))
-        | map(select(. != "sdanni-40redhat-2com"))
-        | map(select(. != "istaplet"))
-        | .[]
-    ')
+    username="jappavoo@bu.edu"
+
+    user="jappavoo-40bu-2edu"
 
     # give notebook within namespace a name
-    notebook_name=cs599-${user}-wb
+    notebook_name="csw-dev"
 
     params=(
         -p NOTEBOOK_NAME="$notebook_name"
@@ -79,22 +57,35 @@ apply_rolebinding() {
         -p SERVICE_ACCOUNT_NB="$notebook_name"
     )
 
-    oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
+    oc process -f rbac_template.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
 }
 
-apply_clusterq() {
+create_clusterrole_bindings() {
+
+    oc apply -f clusterrole.yaml --as system:admin
+    # oc create will fail if resource exists (safer)
+    oc create -f clusterrolebinding.yaml --as system:admin
+}
+
+add_sa_to_clusterrolebinding() {
+    namespace=$1
+    notebook_name=$2
 
-    oc apply -f  cluster_queue_role.yaml --as system:admin
+    oc adm policy add-cluster-role-to-user pod-reader --rolebinding-name="csw-pod-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
+    oc adm policy add-cluster-role-to-user node-reader --rolebinding-name="csw-node-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
+    oc adm policy add-cluster-role-to-user kueue-clusterqueue-reader --rolebinding-name="csw-kueue-clusterqueue-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
 }
 
-apply_clusterq
+# create_clusterrole_bindings
 
 oc get ns | grep "^${CLASS_NAME}-" | awk '{print $1}' | while read ns; do
+    # ns="bu-cs599-pmpp-cuda-71cd48"
     oc project "$ns"
 
     #create a workbench and save the name of the notebook to apply rolebindings
     nb_name="$(create_wb "$ns")"
     apply_rolebinding "$ns" "$nb_name"
     apply_localqueue "$ns"
+    add_sa_to_clusterrolebinding "$ns" "$nb_name"
 
 done
diff --git a/gpu-class/notebook_resource.yaml b/gpu-class/notebook_resource.yaml
index 74557d2..8e0f811 100644
--- a/gpu-class/notebook_resource.yaml
+++ b/gpu-class/notebook_resource.yaml
@@ -100,7 +100,7 @@ objects:
                                     --ServerApp.tornado_settings={"user":"${USER}","hub_host":"${HUB_HOST}","hub_prefix":"projects/${NAMESPACE}"}
               - name: JUPYTER_IMAGE
                 value: >-
-                  ${IMAGE_REPO}/${IMAGE_NAME}
+                  ${IMAGE_REPO}/${IMAGE_NAME}:latest
             ports:
               - containerPort: 8888
                 name: notebook-port
@@ -112,7 +112,7 @@ objects:
               - mountPath: /dev/shm
                 name: shm
             image: >-
-                ${IMAGE_REPO}/${IMAGE_NAME}
+                ${IMAGE_REPO}/${IMAGE_NAME}:latest
             workingDir: /opt/app-root/src
           - resources:
               limits:
diff --git a/gpu-class/rb.yaml b/gpu-class/rbac_template.yaml
similarity index 89%
rename from gpu-class/rb.yaml
rename to gpu-class/rbac_template.yaml
index cabb081..31a1d18 100644
--- a/gpu-class/rb.yaml
+++ b/gpu-class/rbac_template.yaml
@@ -76,20 +76,6 @@ objects:
         name: ${SERVICE_ACCOUNT_NB}
         namespace: ${NAMESPACE}
 
-  # CLUSTER QUEUE ROLEBINDING
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: ${SERVICE_ACCOUNT_NB}-kueue-clusterqueue-reader
-    roleRef:
-      apiGroup: rbac.authorization.k8s.io
-      kind: ClusterRole
-      name: kueue-clusterqueue-reader
-    subjects:
-      - kind: ServiceAccount
-        name: ${SERVICE_ACCOUNT_NB}
-        namespace: ${NAMESPACE}
-
   # OC AUTH EXEC (BINDINGS FOR DEFAULT SERVICE ACCOUNT)
   # BIND TO EXISTING EDIT ROLE
   - apiVersion: rbac.authorization.k8s.io/v1