Skip to main content

How to use existing cluster role for PhariaOS

By default, PhariaOS creates its own ClusterRole and ClusterRoleBinding resources for hardware discovery and model management. However, you can use your own existing cluster roles instead.

What PhariaOS creates by default

By default (clusterRole.enabled: true and serviceAccount.create: true), PhariaOS automatically creates:

  • ClusterRoles: Two cluster roles with specific permissions for phariaos-manager and kserve-controller
  • ServiceAccounts: Two service accounts, one for each component
  • ClusterRoleBindings: Bindings that grant each service account its respective cluster role permissions

Using your own existing resources

When cluster role creation is disabled, the chart will not create any cluster roles and you must provide your own with the required permissions.

To use existing cluster roles, set the following in your values.yaml:

phariaos-manager:
  clusterRole:
    enabled: false
  serviceAccount:
    create: false
    name: "your-phariaos-service-account"

  kserve:
    controller:
      serviceAccount:
        create: false
        name: "your-kserve-service-account"

Bind Cluster Role(s) to Service Accounts

Step 1: Determine Required Permissions

Your existing cluster role must include all the permissions defined in the chart's template files:

  • PhariaOS Manager permissions: See charts/phariaos-manager/templates/clusterrole.yaml
  • KServe Controller permissions: See charts/kserve/templates/clusterrole.yaml

Step 2: Add Required Permissions

Add the permissions from the template files to your existing cluster role(s).

Step 3: Create or Use Existing Service Account(s)

Ensure you have service account(s) for the components.

Step 4: Create Cluster Role Binding(s)

Create cluster role binding(s) to grant the permissions to your service account(s).