-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RHOAIENG-11010] Use a more secure role for KServe InferenceService access #3198
[RHOAIENG-11010] Use a more secure role for KServe InferenceService access #3198
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3198 +/- ##
==========================================
+ Coverage 84.84% 84.87% +0.02%
==========================================
Files 1299 1300 +1
Lines 28920 28945 +25
Branches 7771 7777 +6
==========================================
+ Hits 24538 24567 +29
+ Misses 4382 4378 -4
... and 4 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
…r KServe Signed-off-by: Mike Turley <mike.turley@alum.cs.umass.edu>
Signed-off-by: Mike Turley <mike.turley@alum.cs.umass.edu>
Signed-off-by: Mike Turley <mike.turley@alum.cs.umass.edu>
Signed-off-by: gitdallas <5322142+gitdallas@users.noreply.github.com>
Signed-off-by: Mike Turley <mike.turley@alum.cs.umass.edu>
d6ae4a3
to
a122ad0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lucferbux The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Resolves https://issues.redhat.com/browse/RHOAIENG-11010
Description
See comments on Jira issue for implementation details. When setting up token auth for KServe models, instead of giving their ServiceAccounts a binding to the ClusterRole "view", we create a new role for them to get only InferenceServices in their own namespace. This PR also adds logic to replace the old rolebindings on users' clusters with the replaced more secure ones.
How Has This Been Tested?
Tested by @lucferbux, steps outlined in this doc
Test Impact
setUpTokenAuth
to account for creating / not creating the new roleRequest review criteria:
Self checklist (all need to be checked):
If you have UI changes:
After the PR is posted & before it merges:
main