Merge pull request #377 from shengnuo/milvus-oc-rbac

shengnuo · web-flow · commit c8ea490509c3 · 2025-03-20T11:56:29.000-04:00
Grant anyuid SCC to Milvus using k8s Role and RoleBinding
diff --git a/test/e2e/nemo-dependencies/evaluator/tasks/milvus.yaml b/test/e2e/nemo-dependencies/evaluator/tasks/milvus.yaml
@@ -7,13 +7,16 @@
   set_fact:
     is_openshift: "{{ 'routes.route.openshift.io' in api_resources.stdout_lines }}"
 
-- name: OpenShift - Create Milvus service account
-  command: kubectl create serviceaccount milvus -n {{ namespace }}
-  when: is_openshift
 
-- name: OpenShift - Add SCC policy anyuid to Milvus service account
-  command: oc adm policy add-scc-to-user anyuid system:serviceaccount:{{ namespace }}:milvus
-  when: is_openshift
+- name: OpenShift - Prepare RBAC to use anyuid SCC
+  ansible.builtin.template:
+    src: milvus-oc-rbac.yaml.j2
+    dest: milvus-oc-rbac.yaml
+  when: is_openshift 
+
+- name: OpenShift - apply RBAC to use anyuid SCC
+  command: kubectl apply -f milvus-oc-rbac.yaml
+  when: is_openshift 
 
 - name: Add Helm repository for Milvus
   command: helm repo add {{ milvus.helm_repo_name }} {{ milvus.helm_repo_url }}
diff --git a/test/e2e/nemo-dependencies/evaluator/tasks/uninstall.yaml b/test/e2e/nemo-dependencies/evaluator/tasks/uninstall.yaml
@@ -19,4 +19,12 @@
 
 - name: Delete Milvus SA
   command: kubectl delete serviceaccount milvus -n {{ namespace }}
+  ignore_errors: true
+
+- name: Delete Milvus role
+  command: kubectl delete role scc-anyuid -n {{ namespace }}
+  ignore_errors: true
+
+- name: Delete Milvus rolebinding
+  command: kubectl delete rolebinding milvus-scc-anyuid-binding -n {{ namespace }}
   ignore_errors: true
diff --git a/test/e2e/nemo-dependencies/evaluator/templates/milvus-oc-rbac.yaml.j2 b/test/e2e/nemo-dependencies/evaluator/templates/milvus-oc-rbac.yaml.j2
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: milvus
+  namespace: {{ namespace }}
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: scc-anyuid
+  namespace: {{ namespace }}
+rules:
+- apiGroups: ['security.openshift.io']
+  resources: ['securitycontextconstraints']
+  verbs: ['use']
+  resourceNames: ['anyuid']
+
+--- 
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: milvus-scc-anyuid-binding
+  namespace: {{ namespace }}
+subjects:
+- kind: ServiceAccount
+  name: milvus
+  namespace: {{ namespace }}
+roleRef:
+  kind: ClusterRole
+  name: scc-anyuid
+  apiGroup: rbac.authorization.k8s.io
