RBAC

Methods to extend cluster resource permissions to Voithos

Baseline permissions

Voithos is installed with the following set of baseline permissions. These permissions are in addition to permissions that pertains specifically to the voithos-system namespace, of course.

rules:
- apiGroups:
  - 'virtex.ai'
  resources:
  - 'voithosautoscalinggroups'
  verbs: 
  - 'get'
  - 'list'
- apiGroups:
  - 'extensions'
  - 'apiextensions.k8s.io'
  resources:
  - 'customresourcedefinitions'
  resourceNames:
  - 'voithosautoscalinggroups'
  verbs:
  - 'get'
  - 'list'
- apiGroups:
  - 'storage.k8s.io/v1'
  resources:
  - 'storageclasses'
  verbs:
  - 'get'
  - 'list'
- apiGroups:
  - 'rbac.authorization.k8s.io/v1'
  resources:
  - 'roles'
  - 'rolebindings'
  - 'clusterroles'
  - 'clusterrolebindings'
  verbs:
  - 'get'
  - 'list'
- apiGroups:
  - ''
  resources:
  - 'nodes'
  - 'nodes/metrics'
  - 'namespaces'
  - 'limitranges'
  - 'pods'
  verbs:
  - 'get'
  - 'list'
- apiGroups:
  - 'batch'
  resources:
  - 'jobs'
  - 'cronjobs'
  verbs:
  - 'get'
  - 'list'
- apiGroups:
  - 'apps'
  resources:
  - 'daemonsets'
  - 'deployments'
  - 'replicasets'
  - 'statefulsets'
  verbs:
  - 'get'
  - 'list'
- apiGroups:
  - 'autoscaling'
  resources:
  - 'horizontalpodautoscalers'
  - 'verticalpodautoscalers'
  verbs:
  - 'get'
  - 'list'

Patch permissions

Extending patch permissions to Voithos does not by itself trigger it to patch resources. You must create a valid VoithosAutoscalingGroup custom resource, and select the resources (i.e. the group) that you want autoscaled according to a common set of configuration rules. It is within this set of configuration options that you will enable automatic patching. See Configuration for details about how to do this.

Duing installation, you can choose how you want to grant Voithos permission to perform resource patches, if at all.

By default, the helm installation will provide Voithos with the following permissions (in addition to the ones listed above).

rules:
- apiGroups:
  - 'batch'
  resources:
  - 'jobs'
  - 'cronjobs'
  verbs:
  - 'patch'
- apiGroups:
  - 'apps'
  resources:
  - 'daemonsets'
  - 'deployments'
  - 'replicasets'
  - 'statefulsets'
  verbs:
  - 'patch'
- apiGroups:
  - 'autoscaling'
  resources:
  - 'horizontalpodautoscalers'
  - 'verticalpodautoscalers'
  verbs:
  - 'patch'
Fine grained permission grants

Alternatively, fine grained permissions can be granted along with each voithosautoscalinggroup CR that gets created in the cluster. This can be done by passing the following flag to the helm install command:

--set patching.provisionRBAC=false

Note that with this method, you will need to grant Voithos patch permissions for all resources that are referenced by a voithosautoscalinggroup with patching enabled. To do this, attach the following label to an existing Role/ClusterRole that contains the patching permissions for those resources.

voithosautoscalinggroups.virtex.ai/aggregate-to-controller: "true"