sigs.k8s.io/kueue@v0.6.2/site/content/en/docs/tasks/rbac.md

sigs.k8s.io/kueue@v0.6.2/site/content/en/docs/tasks/rbac.md (about)

     1  ---
     2  title: "Setup RBAC"
     3  date: 2022-02-14
     4  weight: 2
     5  description: >
     6    Setup role-based access control (RBAC) in your cluster to control the types of users that can view and create Kueue objects.
     7  ---
     8  
     9  This page shows you how to setup role-based access control (RBAC) in your cluster
    10  to control the types of users that can view and create Kueue objects.
    11  
    12  The page is intended for a [batch administrator](/docs/tasks#batch-administrator).
    13  
    14  ## Before you begin
    15  
    16  Make sure the following conditions are met:
    17  
    18  - A Kubernetes cluster is running.
    19  - The kubectl command-line tool has communication with your cluster.
    20  - [Kueue is installed](/docs/installation).
    21  
    22  This page assumes you are already familiar with [RBAC in kubernetes](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
    23  
    24  ## ClusterRoles included in the installation
    25  
    26  When you install Kueue, the following set of ClusterRoles are created for the
    27  two main personas that we assume will interact with Kueue:
    28  
    29  - `kueue-batch-admin-role` includes the permissions to manage ClusterQueues,
    30    Queues, Workloads, and ResourceFlavors.
    31  - `kueue-batch-user-role` includes the permissions to manage [Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/job/)
    32    and to view Queues and Workloads.
    33  
    34  ## Giving permissions to a batch administrator
    35  
    36  A batch administrator typically requires the `kueue-batch-admin-role` ClusterRole
    37  for all the namespaces.
    38  
    39  To bind the `kueue-batch-admin-role` role to a batch administrator, represented
    40  by the user `admin@example.com`, create a ClusterRoleBinding with a manifest
    41  similar to the following:
    42  
    43  ```yaml
    44  # batch-admin-role-binding.yaml
    45  apiVersion: rbac.authorization.k8s.io/v1
    46  kind: ClusterRoleBinding
    47  metadata:
    48    name: read-pods
    49  subjects:
    50  - kind: User
    51    name: admin@example.com
    52    apiGroup: rbac.authorization.k8s.io
    53  roleRef:
    54    kind: ClusterRole
    55    name: kueue-batch-admin-role
    56    apiGroup: rbac.authorization.k8s.io
    57  ```
    58  
    59  To create the ClusterRoleBinding, save the preceding manifest and run the
    60  following command:
    61  
    62  ```shell
    63  kubectl apply -f batch-admin-role-binding.yaml
    64  ```
    65  
    66  ## Giving permissions to a batch user
    67  
    68  A batch user typically requires permissions to:
    69  
    70  - Create and view Jobs in their namespace.
    71  - View the queues available in their namespace.
    72  - View the status of their [Workloads](/docs/concepts/workload) in their namespace.
    73  
    74  To give these permissions to a group of users `team-a@example.com` for the
    75  namespace `team-a`, create a RoleBinding with a manifest similar to the
    76  following:
    77  
    78  ```yaml
    79  # team-a-batch-user-role-binding.yaml
    80  apiVersion: rbac.authorization.k8s.io/v1
    81  kind: RoleBinding
    82  metadata:
    83    name: read-pods
    84    namespace: team-a
    85  subjects:
    86  - kind: Group
    87    name: team-a@example.com
    88    apiGroup: rbac.authorization.k8s.io
    89  roleRef:
    90    kind: ClusterRole
    91    name: kueue-batch-user-role
    92    apiGroup: rbac.authorization.k8s.io
    93  ```
    94  
    95  To create the RoleBinding, save the preceding manifest and run the
    96  following command:
    97  
    98  ```shell
    99  kubectl apply -f team-a-batch-user-role-binding.yaml
   100  ```