[Bug] What's minimum permission set for kuberay-operator?

xubo245 commented 4 months ago

Search before asking

[X] I searched the issues and found no similar issues.

KubeRay Component

ray-operator

What happened + What you expected to happen

We can find many k8s permission on kuberay-operator: https://github.com/ray-project/kuberay/blob/master/helm-chart/kuberay-operator/templates/role.yaml More permission, more insecure So what's minimum permission set for kuberay-operator?

Reproduction script

question

Anything else

question

Are you willing to submit a PR?

[ ] Yes I am willing to submit a PR!

xubo245 commented 4 months ago

@anyscalesam

andrewsykim commented 4 months ago

@vinayakankugoyal are you aware of any tools we can use to determine the minimum set of permissions? Otherwise, I think it'll involve a manual review of the code to determine the minimum set of permissions for a functional kuberay (some permissions are not strictly needed)

vinayakankugoyal commented 4 months ago

One way to determine this would be to use the kubernetes audit logs. There is one tool that exists which can do this. https://github.com/liggitt/audit2rbac

ray-project / kuberay