Narrow down RBAC rules (#2091)

* Update training operator image in CI

* Remove deprecated GRPC var

* Remove deprecated GRPC var

* Remove deprecated GRPC var

* Support for k8s v1.25 in CI

* Revert "Support for k8s v1.25 in CI"

This reverts commit 16e6fe4.

* Narrow down rbac

* Narrow down rbac

* Narrow down rbac

* Narrow down rbac

* Narrow down rbac

* Narrow down rbac

* Narrow down rbac

* Update tekton and argo docs

* Update tekton and argo docs

Author: johnugeorge

examples/v1beta1/argo/README.md

@@ -65,14 +65,18 @@ with the appropriate permission:
   resources:
     - workflows
   verbs:
-    - "*"
+    - "get"
+    - "list"
+    - "watch"
+    - "create"
+    - "delete"
 ```
 
 Run the following command to update Katib ClusterRole:
 
 ```bash
 kubectl patch ClusterRole katib-controller -n kubeflow --type=json \
-  -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["argoproj.io"],"resources":["workflows"],"verbs":["*"]}}]'
+  -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["argoproj.io"],"resources":["workflows"],"verbs":["get", "list", "watch", "create", "delete"]}}]'
 ```
 
 In addition to that, you have to modify Katib

examples/v1beta1/tekton/README.md

@@ -70,14 +70,18 @@ with the appropriate permission:
     - pipelineruns
     - taskruns
   verbs:
-    - "*"
+    - "get"
+    - "list"
+    - "watch"
+    - "create"
+    - "delete"
 ```
 
 Run the following command to update Katib ClusterRole:
 
 ```bash
 kubectl patch ClusterRole katib-controller -n kubeflow --type=json \
-  -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["tekton.dev"],"resources":["pipelineruns", "taskruns"],"verbs":["*"]}}]'
+  -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups":["tekton.dev"],"resources":["pipelineruns", "taskruns"],"verbs":["get", "list", "watch", "create", "delete"]}}]'
 ```
 
 In addition to that, you have to modify Katib

manifests/v1beta1/components/controller/rbac.yaml

@@ -7,39 +7,93 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - configmaps
-      - serviceaccounts
       - services
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+      - "delete"
+  - apiGroups:
+      - ""
+    resources:
       - events
-      - namespaces
+    verbs:
+      - "create"
+      - "patch"
+      - "update"
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
       - persistentvolumes
       - persistentvolumeclaims
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - configmaps
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+      - ""
+    resources:
       - pods
-      - pods/log
       - pods/status
-      - secrets
     verbs:
-      - "*"
+      - "get"
   - apiGroups:
       - apps
     resources:
       - deployments
     verbs:
-      - "*"
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+      - "delete"
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
       - roles
       - rolebindings
     verbs:
-      - "*"
+      - "get"
+      - "create"
+      - "list"
+      - "watch"
   - apiGroups:
       - batch
     resources:
       - jobs
       - cronjobs
     verbs:
-      - "*"
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+      - "delete"
+  - apiGroups:
+      - kubeflow.org
+    resources:
+      - tfjobs
+      - pytorchjobs
+      - mpijobs
+      - xgboostjobs
+      - mxjobs
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+      - "delete"
   - apiGroups:
       - kubeflow.org
     resources:
@@ -52,11 +106,6 @@ rules:
       - suggestions
       - suggestions/status
       - suggestions/finalizers
-      - tfjobs
-      - pytorchjobs
-      - mpijobs
-      - xgboostjobs
-      - mxjobs
     verbs:
       - "*"
 ---