Add a WLM ClusterRole that can also access some NNF resources

When access to NNF resources is desired, then the WLM would use this ClusterRole rather than the one provided by DWS. Signed-off-by: Dean Roehrich <[email protected]>
NearNodeFlash · Jul 11, 2024 · ef975b2 · ef975b2
1 parent e89996d
commit ef975b2
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/docs/guides/rbac-for-users/readme.md b/docs/guides/rbac-for-users/readme.md
@@ -133,9 +133,9 @@ DataWorkflowServices has already defined the role to be used with WLMs, named `d
 kubectl get clusterrole dws-workload-manager
 ```
 
-Create and apply a ClusterRoleBinding to associate the "flux" user with the `dws-workload-manager` ClusterRole:
+If the "flux" user requires only the normal WLM permissions, then create and apply a ClusterRoleBinding to associate the "flux" user with the `dws-workload-manager` ClusterRole.
 
-ClusterRoleBinding
+ClusterRoleBinding for WLM permissions only:
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -151,4 +151,22 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 ```
 
+If the "flux" user requires the normal WLM permissions as well as some of the NNF permissions, then create and apply a ClusterRoleBinding to associate the "flux" user with the `nnf-workload-manager` ClusterRole.
+
+ClusterRoleBinding for WLM and NNF permissions:
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flux
+subjects:
+- kind: User
+  name: flux
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: nnf-workload-manager
+  apiGroup: rbac.authorization.k8s.io
+```
+
 The WLM should then use the kubeconfig file associated with this "flux" user to access the DataWorkflowServices API and the Rabbit system.