fix(scheduler): Uses ClusterRole for TokenReview and SAR resources

[israel-hdez]

What this PR does / why we need it:

The llm-d scheduler uses cluster-scoped TokenReviews and SubjectAccessReview resources to validate for access to the metrics endpoint. This fixes the RBAC privileges to correctly enable scraping metrics.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Related to https://issues.redhat.com/browse/RHOAIENG-28166

Type of changes
Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)

Feature/Issue validation/testing:

Manual testing

Checklist:

• Have you added unit/e2e tests that prove your fix is effective or that this feature works?
• Has code been commented, particularly in hard-to-understand areas?
• Have you made corresponding changes to the documentation?
• Have you linked the JIRA issue(s) to this PR?

Summary by CodeRabbit

• New Features

  • Improved management of scheduler service account permissions, including explicit handling of authorization delegation.
  • Enhanced cleanup and lifecycle handling for inference service resources.

• Bug Fixes

  • Adjusted ownership checks to handle objects without a namespace more gracefully.

• Chores

  • Expanded cluster permissions to include management of ClusterRoleBindings for better integration and security.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The changes expand RBAC permissions to include clusterrolebindings in several ClusterRole definitions and update reconciliation logic for the LLMInferenceService controller. The controller now manages a ClusterRoleBinding for scheduler auth delegation, handles finalizers for cleanup, and adjusts ownership checks in lifecycle operations.

Changes

File(s)	Change Summary
charts/kserve-resources/templates/clusterrole.yaml config/rbac/role.yaml	Added clusterrolebindings to the resources list under the rbac.authorization.k8s.io API group in ClusterRole definitions.
pkg/controller/llmisvc/controller.go	Enhanced reconciliation logic to handle finalizers and cleanup for LLMInferenceService, and updated RBAC permissions for clusterrolebindings.
pkg/controller/llmisvc/lifecycle_crud.go	Added a namespace presence check before verifying ownership in Delete and Update functions.
pkg/controller/llmisvc/scheduler.go	Added management of a ClusterRoleBinding for scheduler auth delegation, updated scheduler reconciliation flow, and removed a Role permission.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant K8s API
    participant LLMInferenceServiceReconciler
    participant Scheduler Service Account

    User->>K8s API: Create/Update/Delete LLMInferenceService
    K8s API->>LLMInferenceServiceReconciler: Trigger Reconcile
    alt Resource is being deleted
        LLMInferenceServiceReconciler->>LLMInferenceService: Check finalizer
        alt Finalizer present
            LLMInferenceServiceReconciler->>Scheduler Service Account: Cleanup (reconcileSchedulerServiceAccount)
            LLMInferenceServiceReconciler->>LLMInferenceService: Remove finalizer and update
        end
        LLMInferenceServiceReconciler-->>K8s API: Exit reconciliation
    else Resource is not being deleted
        LLMInferenceServiceReconciler->>LLMInferenceService: Add finalizer if missing
        LLMInferenceServiceReconciler->>Scheduler Service Account: Reconcile Service Account, Role, RoleBinding, and Auth Delegator ClusterRoleBinding
    end

Loading

Estimated code review effort

4 (~75 minutes)

Suggested labels

llm-d

Poem

In the warren of code, permissions grow,
ClusterRoleBindings join the show!
Finalizers tidy up with care,
Scheduler bindings everywhere.
Ownership checks, a hop, a bound,
In LLM fields, new roles are found.
🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[israel-hdez]

@bartoszmajsak Is there a better way for cluster-scoped resources?

[pierDipi]

nit

Suggested change

	if len(expected.GetNamespace()) != 0 {
	if expected.GetNamespace() == "" {

[bartoszmajsak]

You can try apiutil.IsObjectNamespaced(expected, c.Scheme(), c.RESTMapper())
https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/client/apiutil/apimachinery.go#L63

[pierDipi]

it seems to make a full (non-cached) remote call, I'd not use it for now as the non-empty for namespace is quite reliable already?

[bartoszmajsak]

I looked at the code and I saw caching mentioned here https://github.com/kubernetes-sigs/controller-runtime/blob/e08f24a1e29fb84e4b059dd471b1c8b4928751e7/pkg/client/apiutil/apimachinery.go#L75-L77 and subsequently here: https://github.com/kubernetes-sigs/controller-runtime/blob/e08f24a1e29fb84e4b059dd471b1c8b4928751e7/pkg/client/apiutil/restmapper.go#L170-L172

Which would mean it's going to be cached as we are using shared client? Or am I missing something?

[pierDipi]

Ah okok, good then

[israel-hdez]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[pierDipi]

nit

Suggested change

	if len(expected.GetNamespace()) != 0 {
	if expected.GetNamespace() == "" {

[bartoszmajsak]

You can try apiutil.IsObjectNamespaced(expected, c.Scheme(), c.RESTMapper())
https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/client/apiutil/apimachinery.go#L63

[bartoszmajsak]

!llmSvc.DeletionTimestamp.IsZero() - I noticed we don't do it in other places. How about moving this check to Delete func as a guard to all types of resources? That would simplify the code below too.

[israel-hdez]

But notice that this condition is over llmSvc instead of authDelegatorBinding. I did this way just to not tamper with the garbage collector for the owned resources which should automatically do the deletion so that, to some extent, it preserves behavior.

In practice, I'm not sure how useful the guard in Delete will be. I see the pattern in the code is to delete the built expected resource; i.e. it doesn't query for the actual one, so I don't think we will have the timestamp. In any case, I agree that having the guard is good. I'll dd it. Yet, IMO this check over llmSvc should stay, unless we are OK with the controller trying the delete despite the ownership?

[bartoszmajsak]

I did this way just to not tamper with the garbage collector for the owned resources which should automatically do the deletion

I was thinking to move this down to Delete and guard in the same fashion - if expected is owned by existing resource (owner) we would have a timestamp on owner.

But I see now this is about cluster-scoped resource that I missed going quickly through the code. Apologies for the initial noise.

I am not sure about using Delete for such a case. This method expects an owner and here it is misleading. Perhaps we should just delete it using available client? The same applies to Reconcile. Thinking about it more - maybe we need separate methods for cluster-scoped resources instead of patching the behaviour of the code path not intended for this use-case?

Thoughts @pierDipi?

[pierDipi]

Maybe what we want is to allow nil owner for Reconcile and Delete without having separate paths for cluster-scoped resources?

[bartoszmajsak]

I am a bit alergic to nils as I've seen many methods with couple of those passed out in the wild. That is making the intent blurry, but we can refactor later.

[israel-hdez]

I'm not seeing any actionable change. Let me know if I'm misunderstanding.

[bartoszmajsak]

but we can refactor later.

follow-up :)

[israel-hdez]

@bartoszmajsak @pierDipi feedback applied.

[pierDipi]

Suggested change

	return r.reconcileSchedulerServiceAccount(ctx, llmSvc)
	if err := r.reconcileSchedulerServiceAccount(ctx, llmSvc); err != nil {
	return fmt.Errorf("failed to finalize scheduler service account: %w", err)
	}
	return nil

[israel-hdez]

Changed.

[pierDipi]

Maybe what we want is to allow nil owner for Reconcile and Delete without having separate paths for cluster-scoped resources?

[pierDipi]

we might want to factor in the namespace given the cluster-scoped nature of the object

[pierDipi]

Suggested change

	Name: kmeta.ChildName(llmSvc.GetName(), "-epp-auth-rb"),
	Name: kmeta.ChildName(llmSvc.GetNamespace(), "-" + llmSvc.GetName() + "-epp-auth-rb"),

Namepsace as "prefix" to have some hierarchy

[israel-hdez]

Great catch. It is fixed.

[pierDipi]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: israel-hdez, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [israel-hdez,pierDipi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment