test-2 cluster needs github teams for access (kruize gpu trigger)

[schwesig]

MUST, urgent (kruize gpu project)

• [x] find name for github admin team (idea nerc-test-2-admins)
  • [x] https://github.com/orgs/OCP-on-NERC/teams/kruize-admins
  • [x] kruize-admins
• [x] create github team admins for test-2
• [x] set roles in test-2 cluster
• [x] add members to it (see below)
• [ ] check sync

SHOULD (maybe new issue if not decided in this sprint)

• [ ] decide on 1 or 2 more teams (users, metrics?)
• [ ] decide on names
• [ ] create github teams
• [ ] set roles in test-cluster

/CC @larsks @computate @schwesig @tssala23 @hpdempsey

---

Right now, we don't have dedicated team(s) for the test-2 cluster. https://console-openshift-console.apps.nerc-ocp-test-2.nerc.mghpcc.org/

The current usecase (kruize GPU), and most likely future projects, will need rights, but separated from the infra and and other clusters. Therefore we need new teams for access.

Most urgent right now: to get this current project on board, with admin rights. Naming idea:

1. nerc-test-2-admins

for future teams I guess

2. nerc-test-2-logs-metrics
3. nerc-test-2-people

Next steps, focus on admins first, to run the kruize GPU project as quick as possible:

• [x] Feedback about naming
• [x] If the naming for admins is decided
  • [x] create new team https://github.com/orgs/OCP-on-NERC/teams (@larsks @joachimweyl ...)
  • [x] add group to test-2 user roles (@tssala23 with PR)
  • [x] add to team admin
  • [x] @rebeccaSimmonds19
  • [x] @dinogun
  • [x] @shekhar316
  • [x] Bharath Appali @bharathappali abharath@redhat.com
  • [x] Bhanvi Menghani @bhanvimenghani bmenghan@redhat.com
  • [x] Kusuma Chalasani @kusumachalasani kchalasa@redhat.com
• [ ] decide on additional needed teams?

help for https://github.com/nerc-project/operations/issues/624

[tssala23]

What would be the exact roles assigned to the new team? Or maybe a better question is how would they differ from the roles applied to the nerc-ops team?

- ../../base/rbac.authorization.k8s.io/clusterrolebindings/nerc-ops
- ../../base/rbac.authorization.k8s.io/clusterroles/nerc-ops
- ../../base/rbac.authorization.k8s.io/clusterroles/nerc-ops-pod-exec
- ../../base/rbac.authorization.k8s.io/clusterroles/nerc-ops-portforward
- ../../base/rbac.authorization.k8s.io/clusterroles/nerc-ops-secrets-reader
- ../../base/rbac.authorization.k8s.io/clusterroles/nerc-ops-sudoer
- ../../base/rbac.authorization.k8s.io/clusterroles/nerc-ops-monitoring

/CC @larsks

[shekhar316]

Hi @schwesig ,

In addition to @dinogun, @rebeccaSimmonds19, and @shekhar316, please grant admin access to the following three users also:

• Bharath Appali @bharathappali abharath@redhat.com
• Bhanvi Menghani @bhanvimenghani bmenghan@redhat.com
• Kusuma Chalasani @kusumachalasani kchalasa@redhat.com

[schwesig]

@tssala23 @larsks

What would be the exact roles assigned to the new team? Or maybe a better question is how would they differ from the roles applied to the nerc-ops team?

what information do you need to decide?

[larsks]

I have created the team kruize-admins and invited everyone listed in this issue.

[larsks]

@tssala23 you will need to create a new ClusterRoleBinding that binds the kruize-admins group to the nerc-ops ClusterRole. That is:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kruize-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nerc-ops
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: kruize-admins

You will also need to update the cluster OAuth resource to allow members of that team to log in:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - github:
      teams:
      - ocp-on-nerc/nerc-ops
      - ocp-on-nerc/kruize-admins

[tssala23]

@larsks here is the PR for those changes. I created the ClusterRoleBinding inside the rbac dir in base, and added the team to the oauth by modifying the existing path in the overlay kustomization file.