Skip to content

Commit 1eb75af

Browse files
committed
fix: move provider-namespace RBAC to optional manifest
dashboard.yaml now only creates Role/RoleBinding in 'default' (always exists). Provider namespaces (kaito-workspace, dynamo-system, kuberay-system) are in a separate hf-secret-rbac.yaml applied after provider installation. Fixes apply failure on clean clusters. Also fix rollback command in versioning-upgrades.md to use correct deployment name (kubeairunway-controller-manager).
1 parent 5677880 commit 1eb75af

3 files changed

Lines changed: 109 additions & 96 deletions

File tree

deploy/kubernetes/dashboard.yaml

Lines changed: 5 additions & 95 deletions
Original file line numberDiff line numberDiff line change
@@ -141,9 +141,12 @@ subjects:
141141
namespace: kubeairunway-system
142142

143143
---
144-
# Namespace-scoped Roles for HuggingFace token secret management.
144+
# Namespace-scoped Role for HuggingFace token secret management.
145145
# Scoped to resourceNames: ["hf-token-secret"] so the dashboard can only
146-
# delete this specific secret, not any other secret in these namespaces.
146+
# delete this specific secret, not any other secret in this namespace.
147+
#
148+
# For provider namespaces (kaito-workspace, dynamo-system, kuberay-system),
149+
# apply deploy/kubernetes/hf-secret-rbac.yaml after installing those providers.
147150

148151
apiVersion: rbac.authorization.k8s.io/v1
149152
kind: Role
@@ -158,48 +161,6 @@ rules:
158161
resourceNames: ["hf-token-secret"]
159162
verbs: ["delete"]
160163

161-
---
162-
apiVersion: rbac.authorization.k8s.io/v1
163-
kind: Role
164-
metadata:
165-
name: kubeairunway-hf-secret
166-
namespace: kaito-workspace
167-
labels:
168-
app.kubernetes.io/name: kubeairunway
169-
rules:
170-
- apiGroups: [""]
171-
resources: ["secrets"]
172-
resourceNames: ["hf-token-secret"]
173-
verbs: ["delete"]
174-
175-
---
176-
apiVersion: rbac.authorization.k8s.io/v1
177-
kind: Role
178-
metadata:
179-
name: kubeairunway-hf-secret
180-
namespace: dynamo-system
181-
labels:
182-
app.kubernetes.io/name: kubeairunway
183-
rules:
184-
- apiGroups: [""]
185-
resources: ["secrets"]
186-
resourceNames: ["hf-token-secret"]
187-
verbs: ["delete"]
188-
189-
---
190-
apiVersion: rbac.authorization.k8s.io/v1
191-
kind: Role
192-
metadata:
193-
name: kubeairunway-hf-secret
194-
namespace: kuberay-system
195-
labels:
196-
app.kubernetes.io/name: kubeairunway
197-
rules:
198-
- apiGroups: [""]
199-
resources: ["secrets"]
200-
resourceNames: ["hf-token-secret"]
201-
verbs: ["delete"]
202-
203164
---
204165
apiVersion: rbac.authorization.k8s.io/v1
205166
kind: RoleBinding
@@ -217,57 +178,6 @@ subjects:
217178
name: kubeairunway
218179
namespace: kubeairunway-system
219180

220-
---
221-
apiVersion: rbac.authorization.k8s.io/v1
222-
kind: RoleBinding
223-
metadata:
224-
name: kubeairunway-hf-secret
225-
namespace: kaito-workspace
226-
labels:
227-
app.kubernetes.io/name: kubeairunway
228-
roleRef:
229-
apiGroup: rbac.authorization.k8s.io
230-
kind: Role
231-
name: kubeairunway-hf-secret
232-
subjects:
233-
- kind: ServiceAccount
234-
name: kubeairunway
235-
namespace: kubeairunway-system
236-
237-
---
238-
apiVersion: rbac.authorization.k8s.io/v1
239-
kind: RoleBinding
240-
metadata:
241-
name: kubeairunway-hf-secret
242-
namespace: dynamo-system
243-
labels:
244-
app.kubernetes.io/name: kubeairunway
245-
roleRef:
246-
apiGroup: rbac.authorization.k8s.io
247-
kind: Role
248-
name: kubeairunway-hf-secret
249-
subjects:
250-
- kind: ServiceAccount
251-
name: kubeairunway
252-
namespace: kubeairunway-system
253-
254-
---
255-
apiVersion: rbac.authorization.k8s.io/v1
256-
kind: RoleBinding
257-
metadata:
258-
name: kubeairunway-hf-secret
259-
namespace: kuberay-system
260-
labels:
261-
app.kubernetes.io/name: kubeairunway
262-
roleRef:
263-
apiGroup: rbac.authorization.k8s.io
264-
kind: Role
265-
name: kubeairunway-hf-secret
266-
subjects:
267-
- kind: ServiceAccount
268-
name: kubeairunway
269-
namespace: kubeairunway-system
270-
271181
---
272182
# Deployment
273183
apiVersion: apps/v1
Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
# HuggingFace Token Secret RBAC for Provider Namespaces
2+
#
3+
# Apply this AFTER installing providers to enable HuggingFace token
4+
# removal from provider namespaces via the dashboard UI.
5+
#
6+
# Usage: kubectl apply -f hf-secret-rbac.yaml
7+
#
8+
# This is only needed if you use the dashboard to manage HuggingFace tokens.
9+
# Each Role is scoped to resourceNames: ["hf-token-secret"] — the dashboard
10+
# can only delete this specific secret, nothing else.
11+
12+
---
13+
apiVersion: rbac.authorization.k8s.io/v1
14+
kind: Role
15+
metadata:
16+
name: kubeairunway-hf-secret
17+
namespace: kaito-workspace
18+
labels:
19+
app.kubernetes.io/name: kubeairunway
20+
rules:
21+
- apiGroups: [""]
22+
resources: ["secrets"]
23+
resourceNames: ["hf-token-secret"]
24+
verbs: ["delete"]
25+
26+
---
27+
apiVersion: rbac.authorization.k8s.io/v1
28+
kind: Role
29+
metadata:
30+
name: kubeairunway-hf-secret
31+
namespace: dynamo-system
32+
labels:
33+
app.kubernetes.io/name: kubeairunway
34+
rules:
35+
- apiGroups: [""]
36+
resources: ["secrets"]
37+
resourceNames: ["hf-token-secret"]
38+
verbs: ["delete"]
39+
40+
---
41+
apiVersion: rbac.authorization.k8s.io/v1
42+
kind: Role
43+
metadata:
44+
name: kubeairunway-hf-secret
45+
namespace: kuberay-system
46+
labels:
47+
app.kubernetes.io/name: kubeairunway
48+
rules:
49+
- apiGroups: [""]
50+
resources: ["secrets"]
51+
resourceNames: ["hf-token-secret"]
52+
verbs: ["delete"]
53+
54+
---
55+
apiVersion: rbac.authorization.k8s.io/v1
56+
kind: RoleBinding
57+
metadata:
58+
name: kubeairunway-hf-secret
59+
namespace: kaito-workspace
60+
labels:
61+
app.kubernetes.io/name: kubeairunway
62+
roleRef:
63+
apiGroup: rbac.authorization.k8s.io
64+
kind: Role
65+
name: kubeairunway-hf-secret
66+
subjects:
67+
- kind: ServiceAccount
68+
name: kubeairunway
69+
namespace: kubeairunway-system
70+
71+
---
72+
apiVersion: rbac.authorization.k8s.io/v1
73+
kind: RoleBinding
74+
metadata:
75+
name: kubeairunway-hf-secret
76+
namespace: dynamo-system
77+
labels:
78+
app.kubernetes.io/name: kubeairunway
79+
roleRef:
80+
apiGroup: rbac.authorization.k8s.io
81+
kind: Role
82+
name: kubeairunway-hf-secret
83+
subjects:
84+
- kind: ServiceAccount
85+
name: kubeairunway
86+
namespace: kubeairunway-system
87+
88+
---
89+
apiVersion: rbac.authorization.k8s.io/v1
90+
kind: RoleBinding
91+
metadata:
92+
name: kubeairunway-hf-secret
93+
namespace: kuberay-system
94+
labels:
95+
app.kubernetes.io/name: kubeairunway
96+
roleRef:
97+
apiGroup: rbac.authorization.k8s.io
98+
kind: Role
99+
name: kubeairunway-hf-secret
100+
subjects:
101+
- kind: ServiceAccount
102+
name: kubeairunway
103+
namespace: kubeairunway-system

docs/versioning-upgrades.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ When moving between versions, conversion webhooks will handle:
3535
kubectl apply -f https://raw.githubusercontent.com/kaito-project/kubeairunway/main/deploy/kubernetes/controller.yaml
3636

3737
# Rollback to previous version
38-
kubectl rollout undo deployment/kubeairunway-controller -n kubeairunway-system
38+
kubectl rollout undo deployment/kubeairunway-controller-manager -n kubeairunway-system
3939
```
4040

4141
**Behavior during upgrade:**

0 commit comments

Comments
 (0)