diff --git a/keps/sig-node/4817-resource-claim-device-status/README.md b/keps/sig-node/4817-resource-claim-device-status/README.md index f1079330c8e..e2714f100a6 100644 --- a/keps/sig-node/4817-resource-claim-device-status/README.md +++ b/keps/sig-node/4817-resource-claim-device-status/README.md @@ -298,29 +298,31 @@ to be reported only once in the slice, a device is being identified by ### Write Permission -To prevent unauthorized or accidental modifications by entities that do not -have access to a particular resource, a `ValidatingAdmissionPolicy` will be -created to validate the entities attempting to update the devices in the -`ResourceClaim.Status`. - -The `ValidatingAdmissionPolicy` will restrict `ResourceClaim.Status.Devices` -to be set only during updates, as the object will have first to be created and -allocated, then configured inside the pods. It will also restrict the -`ResourceClaim.Status.Devices` to be set only for when the `ResourceClaim` is -allocated to a node. Additionally, the allocated node where the `ResourceClaim` -is assigned will be used to check if the user/entity updating the -`ResourceClaim.Status.Devices` is running on the same node. - -The allocated node for the `ResourceClaim` must be unique in the form of +To prevent unauthorized or accidental modifications by entities that do not +have access to a particular resource, a synthetic check in a `drivers` resource +will validate the entities attempting to update the devices in the `ResourceClaim.Status`. + +The new synthetic check will restrict `ResourceClaim.Status.Devices` +to be set only during updates, as the object will have first to be created and +allocated, then configured inside the pods. It will also restrict the +`ResourceClaim.Status.Devices` to be set only for when the `ResourceClaim` is +allocated to a node. Additionally, the allocated node where the `ResourceClaim` +is assigned will be used to check if the user/entity updating the +`ResourceClaim.Status.Devices` is running on the same node. If the user/entity is +not a node component it is assumed to be a cluster wide controller and will be able +to update any allocated ResourceClaim. Cluster wide controllers are also able to use +a wildcard `*` as a resource name to be able to update any driver. + +The allocated node for the `ResourceClaim` must be unique in the form of `nodeSelector.nodeSelectorTerms[0].matchFields[0].values[0] = ` and `nodeSelector.nodeSelectorTerms[0].matchFields[0].key = metadata.name` and `nodeSelector.nodeSelectorTerms[0].matchFields[0].operator = In`. Without this -unique format, the update of the devices in the status will be rejected. +unique format, the update of the devices in the status will fallback. to cluster wide authorization. + +Here is a `ResourceClaim` allocated on a node: -Here is a `ResourceClaim` allocated on a node. This would only work for now if -exactly one node is set: ```yaml -apiVersion: resource.k8s.io/v1alpha3 +apiVersion: resource.k8s.io/v1 kind: ResourceClaim metadata: ... @@ -339,46 +341,33 @@ status: ... ``` -Here is an example of how the `ValidatingAdmissionPolicy` could look like: +Here is an example of how the `ClusterRole` could look like for a driver running in a node: + ```yaml ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: "resourceclaim-device-status-update" -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: ["resource.k8s.io"] - apiVersions: ["*"] - operations: ["UPDATE"] - resources: ["resourceclaims"] - matchConditions: - - name: 'device-status-update' - expression: >- # Validation only for objects with their .status.devices updated. - object.status.devices != oldObject.status.devices - validations: - - expression: >- # User node must be the same node as the one where the ResourceClaim is allocated. - variables.userNodeName != variables.objectNodeName - messageExpression: >- - "User '" + request.userInfo.username + "' on node '" + variables.userNodeName + "' is not allowed to update the .status.devices of a ResourceClaim allocated on node '" + variables.objectNodeName + "'." - reason: Forbidden - variables: - - name: userNodeName - expression: >- - request.userInfo.extra[?'authentication.kubernetes.io/node-name'][0].orValue('') - - name: objectNodeName - expression: >- - object.status.allocation.nodeSelector.nodeSelectorTerms[0].matchFields[0].values[0].orValue('') ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding + name: my-driver-status-updater +rules: +- apiGroups: ["resource.k8s.io"] + resources: ["drivers"] + verbs: ["update-device-status"] + resourceNames: ["my-driver.example.com"] +``` + +Here is an example of how the `ClusterRole` could look like for a controller that +updates multiple drivers: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: "resourceclaim-device-status-update-binding" -spec: - policyName: "resourceclaim-device-status-update" - validationActions: [Deny] + name: my-driver-status-updater +rules: +- apiGroups: ["resource.k8s.io"] + resources: ["drivers"] + verbs: ["update-device-status"] + resourceNames: ["*"] ``` ### Test Plan @@ -409,18 +398,17 @@ Coverage: * With the feature gate enabled, the field exists in the `ResourceClaim`. * With the feature gate disabled, the field does not exist in the `ResourceClaim`. - * With the feature gate enabled, the `ValidatingAdmissionPolicy` exists and - restricts the write access of the `ResourceClaim.Status.Devices`. + * With the feature gate enabled, the rbac restricts the write access of the `ResourceClaim.Status.Devices`. ##### e2e tests The [DRA test driver](https://github.com/kubernetes/kubernetes/tree/master/test/e2e/dra/test-driver) -will be extended to support the new `ResourceClaim.Status.Devices` field and to +will be extended to support the new `ResourceClaim.Status.Devices` field and to populate it with data related to the device configured in the pod. A new network DRA Driver will be implemented (or extended from the existing DRA test driver) to support networking type of devices and report their -network status. +network status and validate the rbac permissions are respected. ### Graduation Criteria diff --git a/keps/sig-node/4817-resource-claim-device-status/kep.yaml b/keps/sig-node/4817-resource-claim-device-status/kep.yaml index f89f0e96aad..f25a88601fe 100644 --- a/keps/sig-node/4817-resource-claim-device-status/kep.yaml +++ b/keps/sig-node/4817-resource-claim-device-status/kep.yaml @@ -29,13 +29,13 @@ see-also: # The target maturity stage in the current dev cycle for this KEP. stage: stable -latest-milestone: "v1.35" +latest-milestone: "v1.36" # The milestone at which this feature was, or is targeted to be, at each stage. milestone: alpha: "v1.32" beta: "v1.33" - stable: "v1.35" + stable: "v1.36" # The following PRR answers are required at alpha release # List the feature gate name and the components for which it must be enabled