Support RBAC for ADDITIONAL_NAMESPACES and tighten up permissions

Signed-off-by: Kevin Klues <kklues@nvidia.com>

Author: klueska

deployments/helm/nvidia-dra-driver-gpu/templates/_helpers.tpl

@@ -138,3 +138,21 @@ Filter a list by a set of valid values
   {{- end }}
   {{- $result -}}
 {{- end -}}
+
+{{/*
+Get all namespaces (driver namespace + additional namespaces from environment variable)
+*/}}
+{{- define "nvidia-dra-driver-gpu.namespaces" -}}
+{{- $namespaces := list (include "nvidia-dra-driver-gpu.namespace" .) }}
+{{- if .Values.controller.containers.computeDomain.env }}
+{{- range .Values.controller.containers.computeDomain.env }}
+{{- if eq .name "ADDITIONAL_NAMESPACES" }}
+{{- if .value }}
+{{- $additionalNamespaces := splitList "," .value }}
+{{- $namespaces = concat $namespaces $additionalNamespaces }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- join "," $namespaces -}}
+{{- end -}}

deployments/helm/nvidia-dra-driver-gpu/templates/clusterrole.yaml

@@ -1,29 +1,31 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: compute-domain-daemon-service-account
-  namespace: {{ include "nvidia-dra-driver-gpu.namespace" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: compute-domain-daemon-role
-  namespace: {{ include "nvidia-dra-driver-gpu.namespace" . }}
 rules:
 - apiGroups: ["resource.nvidia.com"]
   resources: ["computedomains", "computedomains/status"]
   verbs: ["get", "list", "watch", "update", "patch"]
+
+{{- range $namespace := splitList "," (include "nvidia-dra-driver-gpu.namespaces" .) }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: compute-domain-daemon-service-account
+  namespace: {{ $namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: compute-domain-daemon-role-binding
-  namespace: {{ include "nvidia-dra-driver-gpu.namespace" . }}
+  name: compute-domain-daemon-role-binding-{{ $namespace }}
 subjects:
 - kind: ServiceAccount
   name: compute-domain-daemon-service-account
-  namespace: {{ include "nvidia-dra-driver-gpu.namespace" . }}
+  namespace: {{ $namespace }}
 roleRef:
   kind: ClusterRole
   name: compute-domain-daemon-role
-  apiGroup: rbac.authorization.k8s.io 
+  apiGroup: rbac.authorization.k8s.io
+{{- end }} 

deployments/helm/nvidia-dra-driver-gpu/templates/clusterrolebinding.yaml

@@ -0,0 +1,81 @@
+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "nvidia-dra-driver-gpu.name" . }}-clusterrole
+rules:
+- apiGroups: ["resource.nvidia.com"]
+  resources: ["computedomains"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: ["resource.nvidia.com"]
+  resources: ["computedomains/status"]
+  verbs: ["update"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaims"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaimtemplates"]
+  verbs: ["get", "list", "watch", "create", "update", "delete"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceslices"]
+  verbs: ["get", "list", "watch", "create", "update", "delete"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaims/status"]
+  verbs: ["update"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch", "update"]
+
+{{- range $namespace := splitList "," (include "nvidia-dra-driver-gpu.namespaces" .) }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "nvidia-dra-driver-gpu.serviceAccountName" $ }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "nvidia-dra-driver-gpu.labels" $ | nindent 4 }}
+  {{- with $.Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "nvidia-dra-driver-gpu.name" $ }}-role
+  namespace: {{ $namespace }}
+rules:
+- apiGroups: ["apps"]
+  resources: ["daemonsets", "deployments"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "nvidia-dra-driver-gpu.name" $ }}-role-binding
+  namespace: {{ $namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "nvidia-dra-driver-gpu.serviceAccountName" $ }}
+    namespace: {{ include "nvidia-dra-driver-gpu.namespace" $ }}
+roleRef:
+  kind: Role
+  name: {{ include "nvidia-dra-driver-gpu.name" $ }}-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "nvidia-dra-driver-gpu.name" $ }}-clusterrole-binding-{{ $namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "nvidia-dra-driver-gpu.serviceAccountName" $ }}
+  namespace: {{ $namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "nvidia-dra-driver-gpu.name" $ }}-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}