upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-04-15 14:26:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/pkg/registry
History
Antonio Ojea adbf3b5aa5
Add granular authorization for DRA ResourceClaim status updates 
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.

Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:

- 'resourceclaims/binding': Required to update 'status.allocation' and
  'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
  on a per-driver basis using 'associated-node:<verb>' (for node-local
  ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
2026-03-26 13:22:09 +00:00
..
admissionregistration Block .static.k8s.io suffix in REST API 2026-03-11 23:47:55 -07:00
apiserverinternal Bump k8s.io/kube-openapi to latest SHA (f3f2b991d03b) 2025-07-14 07:24:48 -04:00
apps Merge pull request #133684 from soltysh/drop_StatefulSetAutoDeletePVC 2025-08-28 10:49:15 -07:00
authentication Clean up v1alpha1 serving for authorization API 2024-12-13 08:37:57 -05:00
authorization KEP-4601: Graduate selector authorization to stable 2025-07-14 16:19:52 -04:00
autoscaling validation-gen: Fix all stable api violations by prefixing +k8s:alpha(since:"1.36") and exclude output_tests from linting 2026-02-25 00:50:31 +00:00
batch Merge pull request #136585 from zhzhuang-zju/job-validation 2026-03-06 22:22:19 +05:30
certificates Remove redundant re-assignment in for-loops under pkg 2026-03-02 08:47:43 +01:00
coordination Add LeaseCandidate v1beta1 2025-03-12 17:52:10 +00:00
core staging: extract CRI streaming modules with client-go compatibility 2026-03-12 09:59:55 -04:00
discovery validation-gen: Fix all stable api violations by prefixing +k8s:alpha(since:"1.36") and exclude output_tests from linting 2026-02-25 00:50:31 +00:00
events Remove ability to re-enable serving deprecated eventv1beta1 APIs 2023-04-28 14:58:59 +08:00
flowcontrol feat: add LimitResponse declarative validation discriminator tags 2026-03-13 13:41:03 -07:00
networking Add status field wiping to ServiceCIDR with opt-out FG 2026-03-18 10:59:54 -04:00
node validation-gen: Fix all stable api violations by prefixing +k8s:alpha(since:"1.36") and exclude output_tests from linting 2026-02-25 00:50:31 +00:00
policy Update OWNERS to sig-apps owned registry packages (batch & policy) 2025-10-28 11:36:45 +01:00
rbac validation-gen: Fix all stable api violations by prefixing +k8s:alpha(since:"1.36") and exclude output_tests from linting 2026-02-25 00:50:31 +00:00
registrytest remove import doc comments 2024-12-02 16:59:34 +01:00
resource Add granular authorization for DRA ResourceClaim status updates 2026-03-26 13:22:09 +00:00
scheduling Add Workload-Aware Preemption fields to Workload and PodGroup APIs 2026-03-24 09:03:50 +01:00
storage Update validation tests and add defaulting 2026-03-09 12:55:17 -04:00
storagemigration Update SVM to Beta 2025-10-29 19:36:11 +00:00
testapigroup SSA: add integration tests 2025-07-17 09:56:28 +02:00
doc.go remove import doc comments 2024-12-02 16:59:34 +01:00
OWNERS Use emeritus_* 2024-08-22 17:48:27 -04:00