feat: move the serviec account to kubeflow namespace

reinthal · Dec 20, 2024 · 64d4bf1 · 64d4bf1
1 parent 0772a9d
commit 64d4bf1
Showing 1 changed file with 45 additions and 1 deletion.
diff --git a/apps/base/kubeflow/spark.yaml b/apps/base/kubeflow/spark.yaml
@@ -24,7 +24,51 @@ spec:
         name: spark-operator
         namespace: kubeflow
       interval: 24h
-  values: []
+  values:
+    serviceAccount:
+      # -- Specifies whether to create a service account for the controller.
+      create: false
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spark-operator-spark
+  namespace: kubeflow
+---
+# Grant all permissions over services, pods, persistentvolumeclaims, and configmaps in the namespace (kubeflow)
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: spark-operator-role
+  namespace: kubeflow
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["*"]  # All permissions: create, delete, get, list, watch, update, patch
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["*"]  # All permissions
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["*"]  # All permissions
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["*"]  # All permissions
+---
+# Bind the above Role to the spark-operator ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: spark-operator-rolebinding
+  namespace: kubeflow
+subjects:
+  - kind: ServiceAccount
+    name: spark-operator-spark
+    namespace: kubeflow
+roleRef:
+  kind: Role
+  name: spark-operator-role
+  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: "sparkoperator.k8s.io/v1beta2"
 kind: SparkApplication