Update workbench roles

gpu-class/clusterrole.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kueue-clusterqueue-reader
+rules:
+  - apiGroups: ["kueue.x-k8s.io"]
+    resources: ["clusterqueues"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-reader
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]

gpu-class/clusterrolebinding.yaml

@@ -0,0 +1,41 @@
+# CREATE KUEUE CLUSTER QUEUE READER CLUSTERROLE BINDING
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csw-kueue-clusterqueue-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kueue-clusterqueue-reader
+subjects:
+- kind: Group
+  name: cs599-pmpp
+  apiGroup: rbac.authorization.k8s.io
+---
+# CREATE POD READER CLUSTERROLE BINDING
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csw-pod-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-reader
+subjects:
+- kind: Group
+  name: cs599-pmpp
+  apiGroup: rbac.authorization.k8s.io
+---
+# CREATE NODE READER CLUSTERROLE BINDING
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csw-node-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-reader
+subjects:
+- kind: Group
+  name: cs599-pmpp
+  apiGroup: rbac.authorization.k8s.io

gpu-class/gpu-class-setup.sh

@@ -11,37 +11,15 @@ run_name="gpu_class_test"
 image_name="csw-dev-f25"
 
 create_wb() {
-    random_id=$(openssl rand -hex 3)
-
     #set namespace
     namespace=$1
 
-    username=$(oc -n "$ns" get rolebinding edit -o json \
-    | jq -r '
-        (.subjects // [])
-        | map(.name)
-        | map(select(. != "jappavoo-40bu-2edu"))
-        | map(select(. != "sdanni-40redhat-2com"))
-        | map(select(. != "istaplet"))
-        | .[]
-    ')
-
-    user=$(oc -n "$ns" get rolebinding edit -o json \
-    | jq -r '
-        (.subjects // [])
-        | map(.name
-            | if test("@.*\\..*$")
-                then sub("@"; "-40") | gsub("\\.";"-2")
-                else .
-                end)
-        | map(select(. != "jappavoo-40bu-2edu"))
-        | map(select(. != "sdanni-40redhat-2com"))
-        | map(select(. != "istaplet"))
-        | .[]
-    ')
+    username="jappavoo@bu.edu"
+
+    user="jappavoo-40bu-2edu"
 
     # give notebook within namespace a name
-    notebook_name=cs599-${user}-wb
+    notebook_name="csw-dev"
 
     params=(
         -p NOTEBOOK_NAME="$notebook_name"
@@ -79,22 +57,35 @@ apply_rolebinding() {
         -p SERVICE_ACCOUNT_NB="$notebook_name"
     )
 
-    oc process -f rb.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
+    oc process -f rbac_template.yaml --local "${rb_params[@]}" | "${create_resource_command[@]}" --as system:admin
 }
 
-apply_clusterq() {
+create_clusterrole_bindings() {
+
+    oc apply -f clusterrole.yaml --as system:admin
+    # oc create will fail if resource exists (safer)
+    oc create -f clusterrolebinding.yaml --as system:admin
+}
+
+add_sa_to_clusterrolebinding() {
+    namespace=$1
+    notebook_name=$2
 
-    oc apply -f  cluster_queue_role.yaml --as system:admin
+    oc adm policy add-cluster-role-to-user pod-reader --rolebinding-name="csw-pod-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
+    oc adm policy add-cluster-role-to-user node-reader --rolebinding-name="csw-node-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
+    oc adm policy add-cluster-role-to-user kueue-clusterqueue-reader --rolebinding-name="csw-kueue-clusterqueue-reader" system:serviceaccount:$namespace:$notebook_name --as system:admin
 }
 
-apply_clusterq
+# create_clusterrole_bindings
 
 oc get ns | grep "^${CLASS_NAME}-" | awk '{print $1}' | while read ns; do
+    # ns="bu-cs599-pmpp-cuda-71cd48"
     oc project "$ns"
 
     #create a workbench and save the name of the notebook to apply rolebindings
     nb_name="$(create_wb "$ns")"
     apply_rolebinding "$ns" "$nb_name"
     apply_localqueue "$ns"
+    add_sa_to_clusterrolebinding "$ns" "$nb_name"
 
 done

gpu-class/notebook_resource.yaml

@@ -100,7 +100,7 @@ objects:
                                     --ServerApp.tornado_settings={"user":"${USER}","hub_host":"${HUB_HOST}","hub_prefix":"projects/${NAMESPACE}"}
               - name: JUPYTER_IMAGE
                 value: >-
-                  ${IMAGE_REPO}/${IMAGE_NAME}
+                  ${IMAGE_REPO}/${IMAGE_NAME}:latest
             ports:
               - containerPort: 8888
                 name: notebook-port
@@ -112,7 +112,7 @@ objects:
               - mountPath: /dev/shm
                 name: shm
             image: >-
-                ${IMAGE_REPO}/${IMAGE_NAME}
+                ${IMAGE_REPO}/${IMAGE_NAME}:latest
             workingDir: /opt/app-root/src
           - resources:
               limits:

gpu-class/rb.yaml → gpu-class/rbac_template.yaml

@@ -76,20 +76,6 @@ objects:
         name: ${SERVICE_ACCOUNT_NB}
         namespace: ${NAMESPACE}
 
-  # CLUSTER QUEUE ROLEBINDING
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: ${SERVICE_ACCOUNT_NB}-kueue-clusterqueue-reader
-    roleRef:
-      apiGroup: rbac.authorization.k8s.io
-      kind: ClusterRole
-      name: kueue-clusterqueue-reader
-    subjects:
-      - kind: ServiceAccount
-        name: ${SERVICE_ACCOUNT_NB}
-        namespace: ${NAMESPACE}
-
   # OC AUTH EXEC (BINDINGS FOR DEFAULT SERVICE ACCOUNT)
   # BIND TO EXISTING EDIT ROLE
   - apiVersion: rbac.authorization.k8s.io/v1