Updating rbac and some minor changes around the install script and instructions

Jaland · Jaland · commit b6d21e5313b3 · 2025-09-30T15:54:02.000-04:00
diff --git a/deployment/README.md b/deployment/README.md
@@ -181,22 +181,31 @@ kubectl -n kuadrant-system patch limitador limitador --type merge \
   -p '{"spec":{"image":"quay.io/kuadrant/limitador:1a28eac1b42c63658a291056a62b5d940596fd4c","version":""}}'
 ```
 
-#### Configure AuthPolicy Audience
+#### Ensure the correct audience is set for AuthPolicy
 
-First, get the correct audience for OpenShift identities, then apply the auth policy:
+Patch `AuthPolicy` with the correct audience for Openshift Identities:
 
-```bash
+```shell
+PROJECT_DIR=$(git rev-parse --show-toplevel)
 AUD="$(kubectl create token default --duration=10m \
   | jwt decode --json - \
   | jq -r '.payload.aud[0]')"
-kubectl patch -f deployment/base/policies/auth-policy.yaml \
+
+echo "Patching AuthPolicy with audience: $AUD"
+
+# Note: Auth policy path may vary depending on your deployment
+# For consolidated deployment structure:
+
+# Patch MaaS API AuthPolicy
+kubectl patch --local -f ${PROJECT_DIR}/deployment/base/policies/maas-auth-policy.yaml \
   --type='json' \
   -p "$(jq -nc --arg aud "$AUD" '[{
     op:"replace",
-    path:"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences",
-    value:[$aud]
+    path:"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0",
+    value:$aud
   }]')" \
   -o yaml | kubectl apply -f -
+  
 ```
 
 ### Kubernetes Configuration
diff --git a/deployment/samples/models/simulator/rbac.yaml b/deployment/samples/models/simulator/rbac.yaml
@@ -6,8 +6,8 @@ metadata:
   namespace: llm
 rules:
   - apiGroups: ["serving.kserve.io"]
-    resources: ["inferenceservices"]
-    verbs: ["create"]
+    resources: ["llminferenceservices"]
+    verbs: ["post"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/deployment/scripts/deploy-openshift.sh b/deployment/scripts/deploy-openshift.sh
@@ -167,10 +167,10 @@ kubectl rollout status deployment/authorino-operator -n kuadrant-system --timeou
 kubectl rollout status deployment/limitador-operator-controller-manager -n kuadrant-system --timeout=120s
 
 # Step 8: Restart KServe controller
-echo ""
-echo "8️⃣ Restarting KServe controller..."
-kubectl rollout restart deployment kserve-controller-manager -n kserve
-kubectl rollout status deployment/kserve-controller-manager -n kserve --timeout=120s
+# echo ""
+# echo "8️⃣ Restarting KServe controller..."
+# kubectl rollout restart deployment kserve-controller-manager -n kserve
+# kubectl rollout status deployment/kserve-controller-manager -n kserve --timeout=120s
 
 # Verification
 echo ""
diff --git a/maas-api/deploy/overlays/dev/models/qwen3/rbac.yaml b/maas-api/deploy/overlays/dev/models/qwen3/rbac.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: llm
 rules:
   - apiGroups: ["serving.kserve.io"]
-    resources: ["inferenceservices"]
+    resources: ["llminferenceservices"]
     verbs: ["post"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
