upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-05-21 09:29:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/plugin/pkg/auth
History
Antonio Ojea adbf3b5aa5
Add granular authorization for DRA ResourceClaim status updates 
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.

Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:

- 'resourceclaims/binding': Required to update 'status.allocation' and
  'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
  on a per-driver basis using 'associated-node:<verb>' (for node-local
  ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
2026-03-26 13:22:09 +00:00
..
authenticator Clean up formatting 2023-03-30 16:38:15 -04:00
authorizer Add granular authorization for DRA ResourceClaim status updates 2026-03-26 13:22:09 +00:00
doc.go remove import doc comments 2024-12-02 16:59:34 +01:00
OWNERS Check in OWNERS modified by update-yamlfmt.sh 2021-12-09 21:31:26 -05:00