K8s Lab 把当前仓库文档整理成一个可阅读的网页站点

Repository Reading Site

rbac.yaml

ml-platform/manifests/rbac.yaml

Text Assetml-platform/manifests/rbac.yaml2.1 KB2026年4月9日 14:00查看原始内容
# Operator 的 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ml-operator
  namespace: ml-platform
---
# Operator 需要的集群级权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ml-operator-role
rules:
  # 管理 MLModel CRD 实例
  - apiGroups: ["ml.k8s-lab.io"]
    resources: ["mlmodels", "mlmodels/status"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  # 管理推理 Deployment
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  # 管理 Service
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  # 管理 HPA
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  # 读取事件
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # Leader election
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ml-operator-binding
subjects:
  - kind: ServiceAccount
    name: ml-operator
    namespace: ml-platform
roleRef:
  kind: ClusterRole
  name: ml-operator-role
  apiGroup: rbac.authorization.k8s.io
---
# Training Job 的 ServiceAccount (需要创建 MLModel CR)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ml-trainer
  namespace: ml-platform
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ml-trainer-role
  namespace: ml-platform
rules:
  - apiGroups: ["ml.k8s-lab.io"]
    resources: ["mlmodels"]
    verbs: ["create", "get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ml-trainer-binding
  namespace: ml-platform
subjects:
  - kind: ServiceAccount
    name: ml-trainer
    namespace: ml-platform
roleRef:
  kind: Role
  name: ml-trainer-role
  apiGroup: rbac.authorization.k8s.io