From 52ed42635f6bf0f21169cb9b2e4e1eb76bc2510a Mon Sep 17 00:00:00 2001
From: Qstar <Qstar@users.noreply.github.com>
Date: Tue, 11 Feb 2020 03:03:15 +0800
Subject: [PATCH] add role rbac and add add guide (#7091)

---
 deploy/ray-operator/README.md                 | 27 +++++--
 deploy/ray-operator/config/rbac/role.yaml     | 76 +++++++++++++++++++
 .../controllers/raycluster_controller.go      |  1 +
 deploy/ray-operator/go.mod                    |  1 -
 4 files changed, 96 insertions(+), 9 deletions(-)
 create mode 100644 deploy/ray-operator/config/rbac/role.yaml

diff --git a/deploy/ray-operator/README.md b/deploy/ray-operator/README.md
index 5423101e6..172913228 100644
--- a/deploy/ray-operator/README.md
+++ b/deploy/ray-operator/README.md
@@ -115,28 +115,39 @@ Below gives a guide for user to submit RayCluster step by step:
 kustomize build config/crd | kubectl apply -f -
 ```
 
-### Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-* For this version controller will run in system namespace, which maybe can't be tolerated in production.  
-* We will add more detailed RBAC file to control the namespace used in production, and the controller will run in that namespace to control the permission.  
-* Also we will provide the more detailed guide for user to run in a controlled way.
+### Build manager docker image
+View Makefile for more command and info.
+```shell script
+make docker-build
+```
+
+### Push manager docker image to some docker repo
+View Makefile for more command and info.
+```shell script
+make docker-push
+```
+
+### Deploy the controller in the configured Kubernetes cluster in ~/.kube/config
+* For this version controller will run in ray-operator-system namespace, which maybe can't be tolerated in production.  
+* We will add more detailed RBAC file to control the namespace used in production, and the controller will run in that namespace to control the permission.  
+* Also, we will provide the more detailed guide for user to run in a controlled way.
 ```shell script
-cd config/manager 
 kustomize build config/default | kubectl apply -f -
 ```
 
 ### Submit RayCluster to Kubernetes
 ```shell script
-kubectl create -f config/samples/ray_v1_raycluster.mini.yaml
+kubectl create -f config/samples/ray_v1_raycluster.mini.yaml -n ray-operator-system
 ```
 
 ### Apply RayCluster to Kubernetes
 ```shell script
-kubectl apply -f config/samples/ray_v1_raycluster.mini.yaml
+kubectl apply -f config/samples/ray_v1_raycluster.mini.yaml -n ray-operator-system
 ```
 
 ### Delete RayCluster to Kubernetes
 ```shell script
-kubectl delete -f config/samples/ray_v1_raycluster.mini.yaml
+kubectl delete -f config/samples/ray_v1_raycluster.mini.yaml -n ray-operator-system
 ```
 
 ### Build with bazel
diff --git a/deploy/ray-operator/config/rbac/role.yaml b/deploy/ray-operator/config/rbac/role.yaml
new file mode 100644
index 000000000..6267929c4
--- /dev/null
+++ b/deploy/ray-operator/config/rbac/role.yaml
@@ -0,0 +1,76 @@
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ray.io
+  resources:
+  - RayClusters
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ray.io
+  resources:
+  - RayClusters/status
+  verbs:
+  - get
+  - patch
+  - update
diff --git a/deploy/ray-operator/controllers/raycluster_controller.go b/deploy/ray-operator/controllers/raycluster_controller.go
index bf32eecca..88e4c3870 100644
--- a/deploy/ray-operator/controllers/raycluster_controller.go
+++ b/deploy/ray-operator/controllers/raycluster_controller.go
@@ -51,6 +51,7 @@ type RayClusterReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+
 func (r *RayClusterReconciler) Reconcile(request reconcile.Request) (reconcile.Result, error) {
 	_ = r.Log.WithValues("raycluster", request.NamespacedName)
 	log.Info("Reconciling RayCluster", "cluster name", request.Name)
diff --git a/deploy/ray-operator/go.mod b/deploy/ray-operator/go.mod
index d29838b52..f68ba60a7 100644
--- a/deploy/ray-operator/go.mod
+++ b/deploy/ray-operator/go.mod
@@ -7,7 +7,6 @@ require (
 	github.com/go-logr/logr v0.1.0
 	github.com/onsi/ginkgo v1.6.0
 	github.com/onsi/gomega v1.4.2
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 // indirect
 	k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2
 	k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d
 	k8s.io/client-go v0.0.0-20190918200256-06eb1244587a