Skip to content

Understanding Cluster Access Roles

Run:AI has the ability to work under restrictive Kubernetes environments. Namely:

You can enable these restricted environment by setting the pspEnabled or openshift configuration flags in the Helm values file before installing the Run:AI cluster.

Other configuration flags are controlling specific behavioral aspects of Run:AI. Specifically, those which require additional permissions. Such as automatic namespace/project creation, secret propagation, and more.

The purpose of this document is to provide security officers with the ability to review what cluster-wide access Run:AI requires, and verify that it is in line with organizational policy, before installing the Run:AI cluster.

Review Cluster Access Roles

If you have not done so before, run:

helm repo add runai https://run-ai-charts.storage.googleapis.com
helm repo update

Then run:

helm pull runai/runai-cluster --untar
cd runai-cluster/templates

Following is a description of some of the relevant files:

Folder File Purpose
clusterroles base.yaml Mandatory Kubernetes Cluster Roles and Cluster Role Bindings
clusterroles project-controller-ns-creation-and-user-auth.yaml Automatic Project Creation and Maintenance. Provides Run:AI with the ability to create Kubernetes namespaces when the Run:AI administrator creates new Projects. Can be controlled via flag
clusterroles project-controller-cluster-wide-secrets.yaml Allow the propagation of Secrets. See Secrets in Jobs. Can be controlled via flag.
clusterroles project-controller-limit-range Disables the usage of the Kubernetes Limit Range feature
ocp scc.yaml OpenShift-specific Security Contexts
priorityclasses 4 files Folder contains a list of Priority Classes used by Run:AI
psp baseline-psp.yaml A subset of the Kubernetes baseline PodSecurityPolicy (here)
psp nvidia-psp.yaml Required for NVIDIA components
psp runai-container-toolkit-psp.yaml Required for Run:AI GPU Fractions technology. Can be controlled via flag.
psp runai-user-psp.yaml Required for User Workloads. Extends the Kubernetes baseline PodSecurityPolicy for Run:AI GPU Fractions technology. Can be controlled via flag.

Last update: April 28, 2021