From 63479be2fd8ee35d4784b46f8fbbc55a45f25e35 Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Tue, 26 Nov 2024 23:02:09 +0000 Subject: [PATCH] add sample RayCluster using kube-rbac-proxy for dashboard access control Signed-off-by: Andrew Sy Kim --- .../config/samples/ray-cluster.auth.yaml | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 ray-operator/config/samples/ray-cluster.auth.yaml diff --git a/ray-operator/config/samples/ray-cluster.auth.yaml b/ray-operator/config/samples/ray-cluster.auth.yaml new file mode 100644 index 0000000000..1c71f82db9 --- /dev/null +++ b/ray-operator/config/samples/ray-cluster.auth.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-rbac-proxy +data: + config-file.yaml: |+ + authorization: + resourceAttributes: + namespace: default + apiVersion: ray.io/v1 + resource: rayclusters + name: ray-cluster-with-auth +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-rbac-proxy +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: kube-rbac-proxy + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-rbac-proxy +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] +--- +apiVersion: ray.io/v1 +kind: RayCluster +metadata: + name: ray-cluster-with-auth +spec: + headGroupSpec: + rayStartParams: + dashboard-host: '127.0.0.1' + dashboard-port: '8443' + template: + metadata: + spec: + serviceAccountName: kube-rbac-proxy + containers: + - name: ray-head + image: rayproject/ray:2.39.0 + ports: + - containerPort: 6379 + name: gcs + - containerPort: 8265 + name: dashboard + - containerPort: 10001 + name: client + resources: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "2" + memory: "4Gi" + readinessProbe: + exec: + command: + - bash + - -c + - wget -T 2 -q -O- http://localhost:52365/api/local_raylet_healthz | grep + success && wget -T 10 -q -O- http://localhost:8443/api/gcs_healthz | grep + success + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + exec: + command: + - bash + - -c + - wget -T 2 -q -O- http://localhost:52365/api/local_raylet_healthz | grep + success && wget -T 10 -q -O- http://localhost:8443/api/gcs_healthz | grep + success + failureThreshold: 120 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 2 + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:v0.18.1 + args: + - "--insecure-listen-address=0.0.0.0:8265" + - "--upstream=http://127.0.0.1:8443/" + - "--logtostderr=true" + volumeMounts: + - name: config + mountPath: /etc/kube-rbac-proxy + volumes: + - name: config + configMap: + name: kube-rbac-proxy + workerGroupSpecs: + - replicas: 2 + minReplicas: 1 + maxReplicas: 5 + groupName: worker-group + rayStartParams: {} + template: + spec: + containers: + - name: ray-worker + image: rayproject/ray:2.39.0 + resources: + limits: + cpu: 1 + memory: "4Gi" + requests: + cpu: 1 + memory: "4Gi"