upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-04-05 09:15:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/plugin
History
Antonio Ojea adbf3b5aa5
Add granular authorization for DRA ResourceClaim status updates 
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.

Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:

- 'resourceclaims/binding': Required to update 'status.allocation' and
  'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
  on a per-driver basis using 'associated-node:<verb>' (for node-local
  ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
2026-03-26 13:22:09 +00:00
..
pkg Add granular authorization for DRA ResourceClaim status updates 2026-03-26 13:22:09 +00:00
OWNERS Add api-machinery TL owners permissions for jpbetz 2023-05-15 11:09:54 -04:00