Add ODH overlay

Augments the `default` profile with some changes expected by an ODH installation: * Removes the `Namespace` CR, because the ODH operator does not expect such resource. The Namespace is expected to be created in advance to later create a KfDef on it, where resources are going to be installed. * Adds cluster roles, to extend the cluster's default user-facing roles with KServe privileges. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
opendatahub-io · Aug 1, 2023 · 50d33ed · 50d33ed
1 parent 23c823c
commit 50d33ed
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/config/overlays/odh/kustomization.yaml b/config/overlays/odh/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../default
+- user-cluster-roles.yaml
+
+patchesStrategicMerge:
+- remove-namespace.yaml
diff --git a/config/overlays/odh/remove-namespace.yaml b/config/overlays/odh/remove-namespace.yaml
@@ -0,0 +1,6 @@
+# Remove namespace resource as namespace will already exist.
+$patch: delete
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kserve
diff --git a/config/overlays/odh/user-cluster-roles.yaml b/config/overlays/odh/user-cluster-roles.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kserve-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        rbac.authorization.k8s.io/aggregate-to-kserve-admin: "true"
+rules: []
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kserve-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-kserve-admin: "true"
+rules:
+  - apiGroups:
+      - serving.kserve.io
+    resources:
+      - inferenceservices
+      - servingruntimes
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kserve-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups:
+      - kubeflow.org
+    resources:
+      - servingruntimes
+      - servingruntimes/status
+      - servingruntimes/finalizers
+      - inferenceservices
+      - inferenceservices/status
+      - inferenceservices/finalizers
+    verbs:
+      - get
+      - list
+      - watch