Use corev1 for specifying resources, edit kf install RBAC

Author: d-gol

manifests/v1beta1/installs/katib-with-kubeflow/kubeflow-katib-roles.yaml

@@ -34,6 +34,18 @@ rules:
       - deletecollection
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

pkg/new-ui/v1beta1/backend.go

@@ -605,7 +605,7 @@ func (k *KatibUIHandler) FetchTrialLogs(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	user, err = IsAuthorized(consts.ActionTypeList, namespace, "pods", "", "", schema.GroupVersion{Group: "apps", Version: "v1"}, k.katibClient.GetClient(), r)
+	user, err = IsAuthorized(consts.ActionTypeList, namespace, corev1.ResourcePods.String(), "", "", schema.GroupVersion{Group: "apps", Version: "v1"}, k.katibClient.GetClient(), r)
 	if user == "" && err != nil {
 		log.Printf("No user provided in kubeflow-userid header.")
 		http.Error(w, err.Error(), http.StatusUnauthorized)
@@ -638,13 +638,13 @@ func (k *KatibUIHandler) FetchTrialLogs(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	user, err = IsAuthorized(consts.ActionTypeGet, namespace, "pods", "log", podName, schema.GroupVersion{Group: "apps", Version: "v1"}, k.katibClient.GetClient(), r)
+	user, err = IsAuthorized(consts.ActionTypeGet, namespace, corev1.ResourcePods.String(), "log", podName, corev1.SchemeGroupVersion, k.katibClient.GetClient(), r)
 	if user == "" && err != nil {
 		log.Printf("No user provided in kubeflow-userid header.")
 		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	} else if err != nil {
-		log.Printf("The user: %s is not authorized to list pod logs: %s in namespace: %s \n", user, podName, namespace)
+		log.Printf("The user: %s is not authorized to get pod logs: %s in namespace: %s \n", user, podName, namespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}