update wandb-console-role and manager-role permissions

velotioaastha · velotioaastha · commit e97ac1d2e668 · 2024-07-23T09:41:13.000-04:00
diff --git a/charts/operator-wandb/Chart.yaml b/charts/operator-wandb/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: operator-wandb
 description: A Helm chart for deploying W&B to Kubernetes
 type: application
-version: 0.15.3
+version: 0.15.4
 appVersion: 1.0.0
 icon: https://wandb.ai/logo.svg
 
diff --git a/charts/operator-wandb/charts/console/templates/clusterrole.yaml b/charts/operator-wandb/charts/console/templates/clusterrole.yaml
@@ -16,8 +16,16 @@ metadata:
     {{-   toYaml .Values.clusterRole.annotations | nindent 4 }}
     {{- end }}
 rules:
-  # We can scope these permissions down later
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "patch"]
+- apiGroups: [""]
+  resources: ["nodes", "namespaces", "pods", "pods/log", "configmaps", "services", "serviceaccounts", "events"]
+  verbs: ["get", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets", "daemonsets", "replicasets", "controllerrevisions"]
+  verbs: ["get", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments/status", "statefulsets/status", "daemonsets/status", "replicasets/status"]
+  verbs: ["get"]
 {{- end }}
diff --git a/charts/operator/README.md b/charts/operator/README.md
@@ -13,6 +13,6 @@ helm upgrade --install operator wandb/operator
 
 ```
 git clone https://github.com/wandb/helm-charts.git
-cd helm-charts
+cd helm-charts/charts/operator
 helm upgrade --namespace=wandb --create-namespace --install operator .
 ```
diff --git a/charts/operator/templates/role.yaml b/charts/operator/templates/role.yaml
@@ -3,4 +3,83 @@ kind: ClusterRole
 metadata:
   name: {{ include "name" . }}-manager-role
 rules:
-{{ toYaml .Values.clusterRole.rules | indent 2 }}
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  - services
+  - services/finalizers
+  - secrets
+  - persistentvolumeclaims
+  - persistentvolumes
+  - configmaps
+  - pods
+  - events
+  verbs:
+  - create
+  - patch
+  - delete
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  verbs:
+  - create
+  - patch
+  - delete
+  - update
+- apiGroups:
+  - apps.wandb.com
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - update
+  - delete
+  - patch
+  - bind
+  - escalate
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - ingressclasses
+  verbs:
+  - create
+  - patch
+  - update
+  - delete
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
