fix: replace ClusterRoleBinding to view with namespace-scoped pods permission (#310)

MikeSpreitzer · claude · web-flow · commit 7eb291a66fa9 · 2026-03-02T10:48:11.000-05:00
The test-requester binary's getPodUIDs() lists pods in the test namespace to sweep stale GPU allocations. This permission was previously supplied via a ClusterRoleBinding to the built-in view ClusterRole, which is a cluster-scoped object requiring cluster-admin privileges and preventing concurrent test runs. Replace it with an explicit get/list/watch rule on pods added to the existing namespace-scoped testreq Role. Remove all creation and cleanup of the testreq-view ClusterRoleBinding from every test script and the OpenShift CI workflow. Fixes #309 (sub-issue of #276). Signed-off-by: Mike Spreitzer <mspreitz@us.ibm.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/ci-e2e-openshift.yaml b/.github/workflows/ci-e2e-openshift.yaml
@@ -588,6 +588,9 @@ jobs:
           - apiGroups: [""]
             resources: ["configmaps"]
             verbs: ["create"]
+          - apiGroups: [""]
+            resources: ["pods"]
+            verbs: ["get", "list", "watch"]
           EOF
 
           kubectl create sa testreq -n "$FMA_NAMESPACE" || true
@@ -596,8 +599,6 @@ jobs:
           kubectl create rolebinding testreq \
             --role=testreq --serviceaccount="${FMA_NAMESPACE}:testreq" \
             -n "$FMA_NAMESPACE" || true
-          kubectl create clusterrolebinding "testreq-view-${FMA_NAMESPACE}" \
-            --clusterrole=view --serviceaccount="${FMA_NAMESPACE}:testreq" || true
 
           echo "Test RBAC created"
 
@@ -923,7 +924,6 @@ jobs:
           # Delete cluster-scoped resources
           kubectl delete clusterrole fma-node-viewer --ignore-not-found || true
           kubectl delete clusterrolebinding "$FMA_RELEASE_NAME-node-view" --ignore-not-found || true
-          kubectl delete clusterrolebinding "testreq-view-${FMA_NAMESPACE}" --ignore-not-found || true
 
           echo "Cleanup complete"
 
diff --git a/inference_server/benchmark/setup_kind_resources.sh b/inference_server/benchmark/setup_kind_resources.sh
@@ -59,10 +59,17 @@ rules:
   - configmaps
   verbs:
   - create
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 EOF
 
 kubectl create rolebinding testreq --role=testreq --serviceaccount=$(kubectl get sa default -o jsonpath={.metadata.namespace}):testreq
-kubectl create clusterrolebinding testreq-view --clusterrole=view --serviceaccount=$(kubectl get sa default -o jsonpath={.metadata.namespace}):testreq
 
 kubectl create sa testreq
 kubectl create cm gpu-map
diff --git a/test/e2e/run-launcher-based.sh b/test/e2e/run-launcher-based.sh
@@ -108,10 +108,17 @@ rules:
   - configmaps
   verbs:
   - create
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 EOF
 
 kubectl create rolebinding testreq --role=testreq --serviceaccount=$(kubectl get sa default -o jsonpath={.metadata.namespace}):testreq
-kubectl create clusterrolebinding testreq-view --clusterrole=view --serviceaccount=$(kubectl get sa default -o jsonpath={.metadata.namespace}):testreq
 
 kubectl create sa testreq
 kubectl create cm gpu-map
diff --git a/test/e2e/run.sh b/test/e2e/run.sh
@@ -104,10 +104,17 @@ rules:
   - configmaps
   verbs:
   - create
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 EOF
 
 kubectl create rolebinding testreq --role=testreq --serviceaccount=$(kubectl get sa default -o jsonpath={.metadata.namespace}):testreq
-kubectl create clusterrolebinding testreq-view --clusterrole=view --serviceaccount=$(kubectl get sa default -o jsonpath={.metadata.namespace}):testreq
 
 
 kubectl create sa testreq
