@@ -179,11 +179,19 @@ objects as privileged. This feature includes:
179179 kubernetes.io/dra-admin-access : " true"
180180 ` ` `
181181
182+ Assumptions:
183+
184+ - It is not important to subdivide admin access to different types of
185+ devices.
186+ - Ability to label (or relabel) namespaces is not granted to low-privileged
187+ namespace-constrained users (this is the same assumption that
188+ PodSecurityAdmission makes).
189+
1821901. Authorization Check:
183191
184- In the REST storage layer, validate requests to create ` ResourceClaim` or
185- `ResourceClaimTemplate` objects with `adminAccess : true`. Only authorize if
186- namespace has the `kubernetes.io/dra-admin-access` label.
192+ In the REST storage layer, validate requests to create and update
193+ ` ResourceClaim` or ` ResourceClaimTemplate` objects with `adminAccess: true`.
194+ Only authorize if namespace has the `kubernetes.io/dra-admin-access` label.
187195
1881961. Grants privileged access to the requested device :
189197
@@ -203,8 +211,9 @@ objects as privileged. This feature includes:
2032111. A cluster administrator labels an admin namespace with
204212 ` kubernetes.io/dra-admin-access` .
205213
206- 1. Only authorized users can create `ResourceClaim` or `ResourceClaimTemplate`
207- objects with `adminAccess : true` in this admin namespace.
214+ 1. Users who are authorized to create `ResourceClaim` or `ResourceClaimTemplate`
215+ objects in this admin namespace can set `adminAccess : true` field if they
216+ want to.
208217
2092181. Only users with access to the admin namespace can reference these
210219 ` ResourceClaims` or `ResourceClaimTemplates` in their pod or deployment
@@ -263,8 +272,7 @@ Starting in Kubernetes 1.33 (when this KEP was introduced), a validation has
263272been added to the REST storage layer to only authorize `ResourceClaim` or
264273`ResourceClaimTemplate` with `adminAccess : true` requests if their namespace has
265274the `kubernetes.io/dra-admin-access` label to only allow it for users with
266- additional privileges. More time is needed to figure out how that should work,
267- therefore the field is placed behind the `DRAAdminAccess` feature gate.
275+ additional privileges.
268276
269277The `DRAAdminAccess` feature gate controls whether users can set the
270278` adminAccess` field to true when requesting devices. That is checked in the
@@ -283,10 +291,6 @@ admin namespace label.
283291
284292# ## Kube-controller-manager Changes
285293
286- // TODO : what part of claim.Status.Allocation should be updated? e.g.
287- AdminAccess is part of `DeviceRequestAllocationResult` but need to set it for
288- each device?
289-
290294In pkg/controller/resourceclaim/controller.go, process requests in `handleClaim`
291295function to prevent creation of `ResourceClaim` when the `ResourceClaimTemplate`
292296has the `adminAccess` field while the feature gate is turned off.
@@ -387,6 +391,7 @@ ResourceClaimTemplate and ResourceClaim for admin access
387391
388392- Gather feedback
389393- Additional tests are in Testgrid and linked in KEP
394+ - Implementations in the kubernetes-sigs/dra-example-driver
390395
391396# ### GA
392397
@@ -682,6 +687,9 @@ The following options were also considered:
682687 approach cannot be used to control access for an in-tree type because
683688 Kubernetes has no mechanism to apply a system VAP to all new clusters
684689 automatically and therefore it is not sufficient for conformance.
685- - Builtin admission controller : This is doable, but more work than the approach
686- described in this KEP.
690+ - Builtin admission controller : This approach allows removal of a check, which
691+ is not what we want. The REST storage approach leaves the control in the hands
692+ of the cluster admin via permissions and allows the cluster admin to delegate
693+ the control so that anyone can apply labels to namespaces, but they can't
694+ prevent the check from running.
687695- RBAC++ : This is not available yet, especially for the DRA timeframe.
0 commit comments