Configuring role-based permissions
The following procedures provide information about how you can configure role-based access control (RBAC) for your Red Hat build of Kueue deployment. These RBAC permissions determine which types of users can create which types of Red Hat build of Kueue objects.
Cluster roles
The Red Hat build of Kueue Operator deploys kueue-batch-admin-role and kueue-batch-user-role cluster roles by default.
- kueue-batch-admin-role
-
This cluster role includes the permissions to manage cluster queues, local queues, workloads, and resource flavors.
- kueue-batch-user-role
-
This cluster role includes the permissions to manage jobs and to view local queues and workloads.
Configuring permissions for batch administrators
You can configure permissions for batch administrators by binding the kueue-batch-admin-role cluster role to a user or group of users.
-
The Red Hat build of Kueue Operator is installed on your cluster.
-
You have cluster administrator permissions.
-
You have installed the OpenShift CLI (
oc).
-
Create a
ClusterRoleBindingobject as a YAML file:ExampleClusterRoleBindingobjectapiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kueue-admins subjects: - kind: User name: admin@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: kueue-batch-admin-role apiGroup: rbac.authorization.k8s.io- Provide a name for the
ClusterRoleBindingobject. - Add details about which user or group of users you want to provide user permissions for.
- Add details about the
kueue-batch-admin-rolecluster role.
- Provide a name for the
-
Apply the
ClusterRoleBindingobject:$ oc apply -f <filename>.yaml
-
You can verify that the
ClusterRoleBindingobject was applied correctly by running the following command and verifying that the output contains the correct information for thekueue-batch-admin-rolecluster role:$ oc describe clusterrolebinding.rbacExample output... Name: kueue-batch-admin-role Labels: app.kubernetes.io/name=kueue Annotations: <none> Role: Kind: ClusterRole Name: kueue-batch-admin-role Subjects: Kind Name Namespace ---- ---- --------- User admin@example.com admin-namespace ...
Configuring permissions for users
You can configure permissions for Red Hat build of Kueue users by binding the kueue-batch-user-role cluster role to a user or group of users.
-
The Red Hat build of Kueue Operator is installed on your cluster.
-
You have cluster administrator permissions.
-
You have installed the OpenShift CLI (
oc).
-
Create a
RoleBindingobject as a YAML file:ExampleClusterRoleBindingobjectapiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kueue-users namespace: user-namespace subjects: - kind: Group name: team-a@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: kueue-batch-user-role apiGroup: rbac.authorization.k8s.io- Provide a name for the
RoleBindingobject. - Add details about which namespace the
RoleBindingobject applies to. - Add details about which user or group of users you want to provide user permissions for.
- Add details about the
kueue-batch-user-rolecluster role.
- Provide a name for the
-
Apply the
RoleBindingobject:$ oc apply -f <filename>.yaml
-
You can verify that the
RoleBindingobject was applied correctly by running the following command and verifying that the output contains the correct information for thekueue-batch-user-rolecluster role:$ oc describe rolebinding.rbacExample output... Name: kueue-users Labels: app.kubernetes.io/name=kueue Annotations: <none> Role: Kind: ClusterRole Name: kueue-batch-user-role Subjects: Kind Name Namespace ---- ---- --------- Group team-a@example.com user-namespace ...