mathew: 1

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

Signed-off-by: Andy Stoneberg <astonebe@redhat.com>

Author: thesuperzapper

workspaces/backend/manifests/kustomize/base/kustomization.yaml

@@ -13,4 +13,9 @@ resources:
 labels:
 - includeSelectors: true
   pairs:
-    app.kubernetes.io/component: api
+    app.kubernetes.io/component: api
+
+images:
+- name: workspaces-backend
+  newName: ghcr.io/kubeflow/notebooks/workspaces-backend
+  newTag: latest

workspaces/controller/internal/controller/workspacekind_controller.go

@@ -48,7 +48,7 @@ type WorkspaceKindReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=kubeflow.org,resources=workspacekinds,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=kubeflow.org,resources=workspacekinds,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=kubeflow.org,resources=workspacekinds/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=kubeflow.org,resources=workspacekinds/finalizers,verbs=update
 // +kubebuilder:rbac:groups=kubeflow.org,resources=workspaces,verbs=get;list;watch

workspaces/controller/manifests/kustomize/base/crd/kustomization.yaml

@@ -1,3 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 # This kustomization.yaml is not intended to be run by itself,
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by manifests/kustomize/base
@@ -19,8 +22,5 @@ patches:
 - path: workspacekinds_cainjection_patch.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
-# [WEBHOOK] To enable webhook, uncomment the following section
-# the following config is for teaching kustomize how to do kustomization for CRDs.
-
 configurations:
 - kustomizeconfig.yaml

workspaces/controller/manifests/kustomize/base/kustomization.yaml

@@ -1,3 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 # Adds namespace to all resources.
 namespace: kubeflow-workspaces
 

workspaces/controller/manifests/kustomize/base/manager/kustomization.yaml

@@ -1,26 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
 resources:
-- namespace.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
 - manager.yaml
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
+- namespace.yaml
 - role.yaml
 - role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# For each CRD, "Editor" and "Viewer" roles are scaffolded by
-# default, aiding admins in cluster management. Those roles are
-# not used by the Project itself. You can comment the following lines
-# if you do not want those helpers be installed with your Project.
-- workspacekind_editor_role.yaml
-- workspacekind_viewer_role.yaml
-- workspace_editor_role.yaml
-- workspace_viewer_role.yaml
+- service_account.yaml
+- user_cluster_roles.yaml
 
 labels:
 - includeSelectors: true

workspaces/controller/manifests/kustomize/base/manager/user_cluster_roles.yaml

@@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-workspaces-admin
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.authorization.kubeflow.org/aggregate-to-kubeflow-workspaces-admin: "true"
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-workspaces-edit
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-workspaces-admin: "true"
+rules:
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - workspaces
+  - workspaces/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-workspaces-view
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
+rules:
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - workspaces
+  - workspaces/status
+  verbs:
+  - get
+  - list
+  - watch