#Setup RBAC

When you install Alauda Build of Kueue, the following set of ClusterRoles are created for the two main personas that we assume will interact with Kueue:

• kueue-batch-admin-role includes the permissions to manage ClusterQueues, Queues, Workloads, and ResourceFlavors.
• kueue-batch-user-role includes the permissions to manage Jobs and to view Queues and Workloads.

#1. Giving permissions to a batch administrator

A batch administrator typically requires the kueue-batch-admin-role ClusterRole for all the namespaces.

To bind the kueue-batch-admin-role role to a batch administrator, represented by the user admin@cpaas.com, create a ClusterRoleBinding with a manifest similar to the following:

# batch-admin-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kueue-admins
subjects:
- kind: User
  name: admin@cpaas.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: kueue-batch-admin-role
  apiGroup: rbac.authorization.k8s.io

To create the ClusterRoleBinding, save the preceding manifest and run the following command:

kubectl apply -f batch-admin-role-binding.yaml

#2. Giving permissions to a batch user

A batch user typically requires permissions to:

• Create and view Jobs in their namespace.
• View the queues available in their namespace.
• View the status of their Workloads in their namespace.

To give these permissions to a user team-a-owner@cpaas.com for the namespace team-a, create a RoleBinding with a manifest similar to the following:

# team-a-batch-user-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kueue-users
  namespace: team-a
subjects:
- kind: User
  name: team-a-owner@cpaas.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: kueue-batch-user-role
  apiGroup: rbac.authorization.k8s.io

To create the RoleBinding, save the preceding manifest and run the following command:

kubectl apply -f team-a-batch-user-role-binding.yaml