This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.
Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:
- 'resourceclaims/binding': Required to update 'status.allocation' and
'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
on a per-driver basis using 'associated-node:<verb>' (for node-local
ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
Introduce the ResourcePoolStatusRequest resource type in the
resource.k8s.io/v1alpha3 API group, gated behind the
DRAResourcePoolStatus feature gate. This includes external and internal
type definitions, protobuf/OpenAPI generated code, client-go typed
clients, informers, listers, apply configurations, deepcopy, defaults,
conversion, fuzzer, declarative validation tags, and API discovery
metadata.
- Fixed version in kube_features.go after rebase (1.35->1.36)
- Removed internal pod cache in PodsServer to reduce memory footprint and avoid duplication.
- Injected pod.Manager into PodsServer to serve as the single source of truth for pod data.
- Refactored WatchPods to broadcast UIDs and fetch fresh pod data from podManager, ensuring consistency.
- Updated convertWatchEventType to safely handle unknown event types.
- Refactored unit tests to use MockManager and added a test case for static pods.
- Updated e2e suite with static pod test
Add server-side streaming RPCs to bypass the gRPC 16MB message size
limit on nodes with many containers/pods. This implements KEP-5825.
New RuntimeService streaming RPCs:
- StreamPodSandboxes
- StreamContainers
- StreamContainerStats
- StreamPodSandboxStats
- StreamPodSandboxMetrics
New ImageService streaming RPC:
- StreamImages
Each streaming RPC accepts the same filter as its unary counterpart
and streams results one item at a time.
Feature gate: CRIListStreaming
KEP: https://kep.k8s.io/5825🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Ayato Tokubi <atokubi@redhat.com>
Promote DRADeviceBindingConditions feature gate from Alpha to Beta
in v1.36 with default enabled.
- Update feature gate definition to set default=true for v1.36 Beta
- Update API documentation comments from "alpha field" to "beta field"
across all resource API versions (v1, v1beta1, v1beta2)
Signed-off-by: Tsubasa Watanabe <w.tsubasa@fujitsu.com>
The fields become beta, enabled by default. DeviceTaintRule gets
added to the v1beta2 API, but support for it must remain off by default
because that API group is also off by default.
The v1beta1 API is left unchanged. No-one should be using it
anymore (deprecated in 1.33, could be removed now if it wasn't for
reading old objects and version emulation).
To achieve consistent validation, declarative validation must be enabled also
for v1alpha3 (was already enabled for other versions). Otherwise,
TestVersionedValidationByFuzzing fails:
--- FAIL: TestVersionedValidationByFuzzing (0.09s)
--- FAIL: TestVersionedValidationByFuzzing/resource.k8s.io/v1beta2,_Kind=DeviceTaintRule (0.00s)
validation_test.go:109: different error count (0 vs. 1)
resource.k8s.io/v1alpha3: <no errors>
resource.k8s.io/v1beta2: "spec.taint.effect: Unsupported value: \"幤HxÒQP¹¬永唂ȳ垞ş]嘨鶊\": supported values: \"NoExecute\", \"NoSchedule\", \"None\""
...
