upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-05-23 18:35:51 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/test/integration/auth
History
Antonio Ojea adbf3b5aa5
Add granular authorization for DRA ResourceClaim status updates 
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.

Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:

- 'resourceclaims/binding': Required to update 'status.allocation' and
  'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
  on a per-driver basis using 'associated-node:<verb>' (for node-local
  ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
2026-03-26 13:22:09 +00:00
..
testdata Add integration test for invalid SAN certificate handling 2025-10-13 20:22:05 -04:00
accessreview_test.go pkg/controlplane: split up config into generic controlplane and kube-related part 2024-04-26 14:14:06 +02:00
auth_test.go KEP-5284: promote constrained impersonation to beta 2026-03-10 12:28:44 -04:00
authz_config_test.go Add automatic_reload_last_config_info metric for auth configs 2025-07-17 17:47:51 -05:00
bootstraptoken_test.go pkg/controlplane: split up config into generic controlplane and kube-related part 2024-04-26 14:14:06 +02:00
dynamic_client_test.go test: use cancelation from ktesting 2024-03-01 07:51:22 +01:00
main_test.go Enforce sa token node audience restriction when ServiceAccountNodeAudienceRestriction=true 2024-11-06 09:51:40 -08:00
node_test.go adopt consistent way to set feature gate based on emulation version for kcm and scheduler test server. 2025-10-22 13:20:30 -05:00
podsecurity_test.go feature: promote ProcMountType to GA 2026-03-13 12:27:16 -04:00
rbac_test.go List available endpoints for kube-apiserver (#132581) 2025-07-23 21:44:27 -07:00
requestheader_test.go Update tests to handle RemoteRequestHeaderUID 2024-12-04 16:04:36 -05:00
resourceclaim_test.go Add granular authorization for DRA ResourceClaim status updates 2026-03-26 13:22:09 +00:00
selfsubjectreview_test.go Fix SelfSubjectReview test to decouple beta and GA types from the same apiserver 2025-02-20 19:32:16 +00:00
svcaccttoken_test.go Add TokenRequestServiceAccountUIDValidation feature gate with UID validation 2025-07-10 23:20:23 -05:00