From 632c1d11cce0857a8d4dab468f3a70a731b65094 Mon Sep 17 00:00:00 2001
From: Dean Roehrich <dean.roehrich@hpe.com>
Date: Mon, 15 Jul 2024 10:13:32 -0500
Subject: [PATCH] Add a WLM ClusterRole that can also access some NNF resources
 (#180)

When access to NNF resources is desired, then the WLM would use this
ClusterRole rather than the one provided by DWS.

Signed-off-by: Dean Roehrich <dean.roehrich@hpe.com>
---
 docs/guides/rbac-for-users/readme.md | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/docs/guides/rbac-for-users/readme.md b/docs/guides/rbac-for-users/readme.md
index 280aeb8..0d2b114 100644
--- a/docs/guides/rbac-for-users/readme.md
+++ b/docs/guides/rbac-for-users/readme.md
@@ -133,9 +133,11 @@ DataWorkflowServices has already defined the role to be used with WLMs, named `d
 kubectl get clusterrole dws-workload-manager
 ```
 
-Create and apply a ClusterRoleBinding to associate the "flux" user with the `dws-workload-manager` ClusterRole:
+If the "flux" user requires only the normal WLM permissions, then create and apply a ClusterRoleBinding to associate the "flux" user with the `dws-workload-manager` ClusterRole.
 
-ClusterRoleBinding
+The `dws-workload-manager role is defined in [workload_manager_role.yaml](https://github.com/DataWorkflowServices/dws/blob/master/config/rbac/workload_manager_role.yaml).
+
+ClusterRoleBinding for WLM permissions only:
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -151,4 +153,24 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 ```
 
+If the "flux" user requires the normal WLM permissions as well as some of the NNF permissions, perhaps to collect some NNF resources for debugging, then create and apply a ClusterRoleBinding to associate the "flux" user with the `nnf-workload-manager` ClusterRole.
+
+The `nnf-workload-manager` role is defined in [workload_manager_nnf_role.yaml](https://github.com/NearNodeFlash/nnf-sos/blob/master/config/rbac/workload_manager_nnf_role.yaml).
+
+ClusterRoleBinding for WLM and NNF permissions:
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flux
+subjects:
+- kind: User
+  name: flux
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: nnf-workload-manager
+  apiGroup: rbac.authorization.k8s.io
+```
+
 The WLM should then use the kubeconfig file associated with this "flux" user to access the DataWorkflowServices API and the Rabbit system.