本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 设置 Kubernetes 基于角色的访问控制
集群管理员用户还需要设置 [Kubernetes 基于角色的访问控制 (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/),以便数据科学家用户使用 CL [SageMaker HyperPod I](https://github.com/aws/sagemaker-hyperpod-cli) 在使用 Amazon EKS 编排的集群 HyperPod 上运行工作负载。
## 方案 1:使用 Helm 图表设置 RBAC
SageMaker HyperPod 服务团队提供了一个 Helm 子图表,用于设置 RBAC。要了解更多信息,请参阅[使用 Helm 在 Amazon EKS 集群上安装软件包](sagemaker-hyperpod-eks-install-packages-using-helm-chart.md)。
## 方案 2:手动设置 RBAC
创建具有最低权限的 `ClusterRole` 和 `ClusterRoleBinding`,并创建具有突变权限的 `Role` 和 `RoleBinding`。
**要为数据科学家创建 `ClusterRole` 和 `ClusterRoleBinding` IAM 角色**
创建集群级配置文件 `cluster_level_config.yaml`,如下所示。
```
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hyperpod-scientist-user-cluster-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: hyperpod-scientist-user-cluster-role-binding
subjects:
- kind: Group
name: hyperpod-scientist-user-cluster-level
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: hyperpod-scientist-user-cluster-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
```
将配置应用于 EKS 集群。
```
kubectl apply -f cluster_level_config.yaml
```
**在命名空间 RoleBinding 中创建角色和角色**
这是运行训练作业的命名空间训练操作程序,Resiliency 默认将对其进行监控。作业自动恢复只能在 `kubeflow` 名称空间或名称空间前缀 `aws-hyperpod` 中进行。
创建角色配置文件 `namespace_level_role.yaml`,如下所示。该示例在 `kubeflow` 命名空间中创建了角色
```
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kubeflow
name: hyperpod-scientist-user-namespace-level-role
###
# 1) add/list/describe/delete pods
# 2) get/list/watch/create/patch/update/delete/describe kubeflow pytroch job
# 3) get pod log
###
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "get"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "create"]
- apiGroups: ["kubeflow.org"]
resources: ["pytorchjobs", "pytorchjobs/status"]
verbs: ["get", "list", "create", "delete", "update", "describe"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "update", "get", "list", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: kubeflow
name: hyperpod-scientist-user-namespace-level-role-binding
subjects:
- kind: Group
name: hyperpod-scientist-user-namespace-level
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: hyperpod-scientist-user-namespace-level-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
```
将配置应用于 EKS 集群。
```
kubectl apply -f namespace_level_role.yaml
```
## 为 Kubernetes 组创建访问条目
使用上述两个选项之一设置 RBAC 后,使用以下示例命令替换必要信息。
```
aws eks create-access-entry \
--cluster-name \
--principal-arn arn:aws:iam:::role/ScientistUserRole \
--kubernetes-groups '["hyperpod-scientist-user-namespace-level","hyperpod-scientist-user-cluster-level"]'
```
对于 `principal-arn` 参数,您需要使用 [科学家的 IAM 用户](sagemaker-hyperpod-prerequisites-iam.md#sagemaker-hyperpod-prerequisites-iam-cluster-user)。