Implementation:Kserve Kserve Kubeflow RBAC ClusterRoles
| Knowledge Sources | |
|---|---|
| Domains | Kubernetes, RBAC |
| Last Updated | 2026-02-13 00:00 GMT |
Overview
Concrete Kubernetes RBAC ClusterRoles for Kubeflow integration provided by the KServe project.
Description
This file defines three Kubeflow-specific RBAC ClusterRoles that integrate KServe permissions into the Kubeflow multi-tenant authorization model. The kubeflow-kserve-admin role uses an aggregation rule to collect permissions from roles labeled with aggregate-to-kubeflow-kserve-admin. The kubeflow-kserve-edit role grants full CRUD access to KServe resources (inferenceservices, inferencegraphs, servingruntimes, trainedmodels, llminferenceservices) and Knative serving resources, and aggregates into both Kubeflow edit and KServe admin roles. The kubeflow-kserve-view role provides read-only access to the same resources and aggregates into the Kubeflow view role.
Usage
Apply these ClusterRoles when deploying KServe within a Kubeflow environment to enable proper multi-tenant access control. These roles automatically integrate with Kubeflow's RBAC aggregation pattern so that users assigned Kubeflow admin, edit, or view roles also receive the corresponding KServe permissions.
Code Reference
Source Location
- Repository: Kserve_Kserve
- File: config/overlays/kubeflow/cluster-role.yaml
- Lines: 1-93
Signature
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-kserve-admin
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kserve-admin: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-kserve-edit
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kserve-admin: "true"
rules:
- apiGroups:
- serving.kserve.io
resources:
- inferencegraphs
- inferenceservices
- servingruntimes
- trainedmodels
- llminferenceservices
- lllminferenceserviceconfigs
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-kserve-view
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
rules:
- apiGroups:
- serving.kserve.io
verbs:
- get
- list
- watch
Import
kubectl apply -f config/overlays/kubeflow/cluster-role.yaml
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| Kubeflow RBAC labels | Label selectors | Yes | Kubeflow aggregation labels that connect these roles to the Kubeflow role hierarchy |
Outputs
| Name | Type | Description |
|---|---|---|
| kubeflow-kserve-admin | ClusterRole | Aggregated admin role for KServe resources within Kubeflow |
| kubeflow-kserve-edit | ClusterRole | Full CRUD access to KServe and Knative serving resources |
| kubeflow-kserve-view | ClusterRole | Read-only access to KServe and Knative serving resources |
Usage Examples
Apply the ClusterRoles
kubectl apply -f config/overlays/kubeflow/cluster-role.yaml
Verify the roles are created
kubectl get clusterrole kubeflow-kserve-admin kubeflow-kserve-edit kubeflow-kserve-view