Using existing cluster roles for PhariaOS
By default, PhariaOS creates its own cluster role and cluster role binding resources for hardware discovery and model management. However, you can use your own existing cluster roles instead.
PhariaOS default cluster roles
With the default values — clusterRole.enabled: true and serviceAccount.create: true — PhariaOS automatically creates the following:
-
Cluster roles: Two cluster roles with specific permissions for phariaos-manager and kserve-controller
-
Service accounts: Two service accounts, one for each component
-
Cluster role bindings: Bindings that grant each service account its respective cluster role permissions
Using your own existing resources
When cluster role creation is disabled, the chart does not create any cluster roles; you must provide your own with the required permissions.
To use existing cluster roles, set the following in your values.yaml:
phariaos-manager:
clusterRole:
enabled: false
serviceAccount:
create: false
name: "your-phariaos-service-account"
kserve:
controller:
serviceAccount:
create: false
name: "your-kserve-service-account"Binding cluster roles to service accounts
Step 1: Determine required permissions
Your existing cluster role must include all the permissions defined in the chart’s template files:
-
PhariaOS Manager permissions: See
charts/phariaos-manager/templates/clusterrole.yaml -
KServe Controller permissions: See
charts/kserve/templates/clusterrole.yaml
Step 2: Add required permissions
Add the permissions from the template files to your existing cluster roles.