Skip to content

Instantly share code, notes, and snippets.

@nerdalert

nerdalert/maas-odh-fix.md

Last active April 1, 2026 18:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nerdalert/66a3c739f8b201298d35b199639786b4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nerdalert/66a3c739f8b201298d35b199639786b4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
maas-odh-fix.md

MaaS API RBAC Fix

Root Cause

Breakage when deploying MaaS with: ./scripts/deploy.sh --operator-type odh

maas-api pods crash with CrashLoopBackOff because the opendatahub:maas-api service account lacks:

  1. Permission to read the maas-db-config secret in opendatahub namespace
  2. Permission to list maasmodelrefs and maassubscriptions CRDs

The operator-managed maas-api ClusterRole does not include these permissions, and patching it directly gets reverted. The fix uses supplemental RBAC resources that won't conflict with the operator.

Fix

# 1. Apply supplemental RBAC
kubectl apply -f - <<'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: maas-api-db-secret-reader
  namespace: opendatahub
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["maas-db-config"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: maas-api-db-secret-reader
  namespace: opendatahub
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: maas-api-db-secret-reader
subjects:
- kind: ServiceAccount
  name: maas-api
  namespace: opendatahub
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: maas-api-supplemental
rules:
- apiGroups: ["maas.opendatahub.io"]
  resources: ["maasmodelrefs", "maassubscriptions"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: maas-api-supplemental
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: maas-api-supplemental
subjects:
- kind: ServiceAccount
  name: maas-api
  namespace: opendatahub
EOF

# 2. Restart maas-api
kubectl -n opendatahub rollout restart deploy/maas-api
kubectl -n opendatahub rollout status deploy/maas-api --timeout=90s

# 3. Verify
HOST=$(kubectl get maasmodelref facebook-opt-125m-simulated -n llm \
  -o jsonpath='{.status.endpoint}' | sed -E 's#(https://[^/]+).*#\1#')
echo "HOST=$HOST"

TOKEN=$(oc whoami -t)
API_KEY=$(curl -sSk -X POST "$HOST/maas-api/v1/api-keys" \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"name":"validate-key","expiresIn":"2h"}' | jq -r '.key')
echo "API_KEY=$API_KEY"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment