From ea06743861083cd0f80e92444417d1b71ed4b39e Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Fri, 1 Aug 2025 14:54:56 -0400 Subject: [PATCH 1/7] add rhoai-workspace namespace edit Group and RoleBinding Signed-off-by: Michael Valdron --- authorization/kustomization.yaml | 2 ++ authorization/rhoai-workspace-edit-users.yaml | 6 ++++++ authorization/rhoai-workspace-edit.yaml | 13 +++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 authorization/rhoai-workspace-edit-users.yaml create mode 100644 authorization/rhoai-workspace-edit.yaml diff --git a/authorization/kustomization.yaml b/authorization/kustomization.yaml index 4b056e0..bb6ffad 100644 --- a/authorization/kustomization.yaml +++ b/authorization/kustomization.yaml @@ -5,3 +5,5 @@ resources: - redhat-ai-dev-edit-users.yaml - redhat-ai-dev-view.yaml - redhat-ai-dev-view-users.yaml + - rhoai-workspace-edit.yaml + - rhoai-workspace-edit-users.yaml diff --git a/authorization/rhoai-workspace-edit-users.yaml b/authorization/rhoai-workspace-edit-users.yaml new file mode 100644 index 0000000..a9a7ecd --- /dev/null +++ b/authorization/rhoai-workspace-edit-users.yaml @@ -0,0 +1,6 @@ +# This group provides edit access to the rhoai-workspace on the redhat-ai-dev team OpenShift cluster. +# This does *not* create your user on the cluster, you **must** have an internal SSO account to log on +kind: Group +apiVersion: user.openshift.io/v1 +metadata: + name: rhoai-workspace-edit-users \ No newline at end of file diff --git a/authorization/rhoai-workspace-edit.yaml b/authorization/rhoai-workspace-edit.yaml new file mode 100644 index 0000000..38a13df --- /dev/null +++ b/authorization/rhoai-workspace-edit.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rhoai-workspace-edit + namespace: rhoai-workspace +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: rhoai-workspace-edit-users +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit From 141cb4fdc01857c361106b45ae96cab1d5ef58ff Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Fri, 1 Aug 2025 14:59:59 -0400 Subject: [PATCH 2/7] fix: correct Group reference to 'redhat-ai-dev-view-users' under 'redhat-ai-dev-vview' ClusterRoleBinding Signed-off-by: Michael Valdron --- authorization/redhat-ai-dev-view.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authorization/redhat-ai-dev-view.yaml b/authorization/redhat-ai-dev-view.yaml index ec90636..c8b36ac 100644 --- a/authorization/redhat-ai-dev-view.yaml +++ b/authorization/redhat-ai-dev-view.yaml @@ -5,7 +5,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: redhat-ai-dev-users + name: redhat-ai-dev-view-users roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole From 3a590367c496503f48160606daf23c04c62dd0cd Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Fri, 1 Aug 2025 15:05:05 -0400 Subject: [PATCH 3/7] update group permissions under authorization README file Signed-off-by: Michael Valdron --- authorization/README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/authorization/README.md b/authorization/README.md index 0115044..1023c7e 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -6,4 +6,10 @@ > [!NOTE] > Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect. -Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file +Membership in under the listed `Group` entities provides the corresponding permissions: + +- `redhat-ai-dev-view-users` - grants cluster-wide `view` permissions +- `redhat-ai-dev-edit-users` - grants cluster-wide `edit` permissions +- `rhoai-workspace-edit-users` - grants `edit` permissions to the `rhoai-workspace` namespace + +Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file From 18674f9ae8b22642ade2a0c1abcc136e8d0fe741 Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Fri, 1 Aug 2025 16:35:42 -0400 Subject: [PATCH 4/7] feedback: consolidate user groups to 'redhat-ai-dev-users' with only 'redhat-ai-dev-view' ClusterRoleBinding Signed-off-by: Michael Valdron --- authorization/README.md | 8 +------- authorization/kustomization.yaml | 4 +--- authorization/redhat-ai-dev-edit.yaml | 12 ------------ ...-dev-edit-users.yaml => redhat-ai-dev-users.yaml} | 2 +- authorization/redhat-ai-dev-view-users.yaml | 6 ------ authorization/redhat-ai-dev-view.yaml | 2 +- 6 files changed, 4 insertions(+), 30 deletions(-) delete mode 100644 authorization/redhat-ai-dev-edit.yaml rename authorization/{redhat-ai-dev-edit-users.yaml => redhat-ai-dev-users.yaml} (92%) delete mode 100644 authorization/redhat-ai-dev-view-users.yaml diff --git a/authorization/README.md b/authorization/README.md index 1023c7e..0115044 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -6,10 +6,4 @@ > [!NOTE] > Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect. -Membership in under the listed `Group` entities provides the corresponding permissions: - -- `redhat-ai-dev-view-users` - grants cluster-wide `view` permissions -- `redhat-ai-dev-edit-users` - grants cluster-wide `edit` permissions -- `rhoai-workspace-edit-users` - grants `edit` permissions to the `rhoai-workspace` namespace - -Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file +Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file diff --git a/authorization/kustomization.yaml b/authorization/kustomization.yaml index bb6ffad..0449739 100644 --- a/authorization/kustomization.yaml +++ b/authorization/kustomization.yaml @@ -1,9 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - redhat-ai-dev-edit.yaml - - redhat-ai-dev-edit-users.yaml + - redhat-ai-dev-users.yaml - redhat-ai-dev-view.yaml - - redhat-ai-dev-view-users.yaml - rhoai-workspace-edit.yaml - rhoai-workspace-edit-users.yaml diff --git a/authorization/redhat-ai-dev-edit.yaml b/authorization/redhat-ai-dev-edit.yaml deleted file mode 100644 index afedae6..0000000 --- a/authorization/redhat-ai-dev-edit.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: redhat-ai-dev-edit -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: redhat-ai-dev-edit-users -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: edit diff --git a/authorization/redhat-ai-dev-edit-users.yaml b/authorization/redhat-ai-dev-users.yaml similarity index 92% rename from authorization/redhat-ai-dev-edit-users.yaml rename to authorization/redhat-ai-dev-users.yaml index 9e6f3cc..4cb068f 100644 --- a/authorization/redhat-ai-dev-edit-users.yaml +++ b/authorization/redhat-ai-dev-users.yaml @@ -3,7 +3,7 @@ kind: Group apiVersion: user.openshift.io/v1 metadata: - name: redhat-ai-dev-edit-users + name: redhat-ai-dev-users users: - bwilcock - jdubrick diff --git a/authorization/redhat-ai-dev-view-users.yaml b/authorization/redhat-ai-dev-view-users.yaml deleted file mode 100644 index 74ef1da..0000000 --- a/authorization/redhat-ai-dev-view-users.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# This group provides cluster-wide view access on the redhat-ai-dev team OpenShift cluster. -# This does *not* create your user on the cluster, you **must** have an internal SSO account to log on -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: redhat-ai-dev-view-users \ No newline at end of file diff --git a/authorization/redhat-ai-dev-view.yaml b/authorization/redhat-ai-dev-view.yaml index c8b36ac..ec90636 100644 --- a/authorization/redhat-ai-dev-view.yaml +++ b/authorization/redhat-ai-dev-view.yaml @@ -5,7 +5,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: redhat-ai-dev-view-users + name: redhat-ai-dev-users roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole From 80281ef0a8af65925a71a72c099859114a75cf98 Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Fri, 1 Aug 2025 16:38:38 -0400 Subject: [PATCH 5/7] feedback: reference 'redhat-ai-dev-users' Group under 'rhoai-workspace-edit' RoleBinding Signed-off-by: Michael Valdron --- authorization/kustomization.yaml | 1 - authorization/rhoai-workspace-edit-users.yaml | 6 ------ authorization/rhoai-workspace-edit.yaml | 2 +- 3 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 authorization/rhoai-workspace-edit-users.yaml diff --git a/authorization/kustomization.yaml b/authorization/kustomization.yaml index 0449739..eaa0d1a 100644 --- a/authorization/kustomization.yaml +++ b/authorization/kustomization.yaml @@ -4,4 +4,3 @@ resources: - redhat-ai-dev-users.yaml - redhat-ai-dev-view.yaml - rhoai-workspace-edit.yaml - - rhoai-workspace-edit-users.yaml diff --git a/authorization/rhoai-workspace-edit-users.yaml b/authorization/rhoai-workspace-edit-users.yaml deleted file mode 100644 index a9a7ecd..0000000 --- a/authorization/rhoai-workspace-edit-users.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# This group provides edit access to the rhoai-workspace on the redhat-ai-dev team OpenShift cluster. -# This does *not* create your user on the cluster, you **must** have an internal SSO account to log on -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: rhoai-workspace-edit-users \ No newline at end of file diff --git a/authorization/rhoai-workspace-edit.yaml b/authorization/rhoai-workspace-edit.yaml index 38a13df..1dc6a80 100644 --- a/authorization/rhoai-workspace-edit.yaml +++ b/authorization/rhoai-workspace-edit.yaml @@ -6,7 +6,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: rhoai-workspace-edit-users + name: redhat-ai-dev-users roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole From f7f392afb448ba8159b9f52c1eb3fb88cf5ccfa7 Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Fri, 1 Aug 2025 16:40:16 -0400 Subject: [PATCH 6/7] update README with revisions Signed-off-by: Michael Valdron --- authorization/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authorization/README.md b/authorization/README.md index 0115044..056883b 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -6,4 +6,4 @@ > [!NOTE] > Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect. -Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file +Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `view` and `rhoai-workspace` namespace `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file From e23b2509da095b149d5d0d05e16650a3256f2ce0 Mon Sep 17 00:00:00 2001 From: Michael Valdron Date: Tue, 19 Aug 2025 11:37:52 -0400 Subject: [PATCH 7/7] feedback: clarify edit permissions to personal user namespaces under README Signed-off-by: Michael Valdron --- authorization/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authorization/README.md b/authorization/README.md index 056883b..a1085f5 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -6,4 +6,4 @@ > [!NOTE] > Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect. -Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `view` and `rhoai-workspace` namespace `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file +Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `view`, and `edit` permissions to the user's personal namespace and the `rhoai-workspace` namespace. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file