@@ -39,7 +39,7 @@ v{{< skew currentVersion>}}, check the documentation for that version of Kuberne
3939
4040## API
4141
42- The ` resource.k8s.io/v1alpha3 `
42+ The ` resource.k8s.io/v1beta1 `
4343{{< glossary_tooltip text="API group" term_id="api-group" >}} provides these types:
4444
4545ResourceClaim
@@ -85,15 +85,15 @@ Here is an example for a fictional resource driver. Two ResourceClaim objects
8585will get created for this Pod and each container gets access to one of them.
8686
8787``` yaml
88- apiVersion : resource.k8s.io/v1alpha3
88+ apiVersion : resource.k8s.io/v1beta1
8989kind : DeviceClass
9090name : resource.example.com
9191spec :
9292 selectors :
9393 - cel :
9494 expression : device.driver == "resource-driver.example.com"
9595---
96- apiVersion : resource.k8s.io/v1alpha2
96+ apiVersion : resource.k8s.io/v1beta1
9797kind : ResourceClaimTemplate
9898metadata :
9999 name : large-black-cat-claim-template
@@ -200,6 +200,37 @@ spec:
200200You may also be able to mutate the incoming Pod, at admission time, to unset
201201the `.spec.nodeName` field and to use a node selector instead.
202202
203+ # # Admin access
204+
205+ {{< feature-state feature_gate_name="DRAAdminAccess" >}}
206+
207+ A ResourceClaim with admin access grants access to devices which are in use and
208+ may enable additional permissions when making the device available in a
209+ container :
210+
211+ ` ` ` yaml
212+ apiVersion: resource.k8s.io/v1beta1
213+ kind: ResourceClaimTemplate
214+ metadata:
215+ name: large-black-cat-claim-template
216+ spec:
217+ spec:
218+ devices:
219+ requests:
220+ - name: req-0
221+ deviceClassName: resource.example.com
222+ adminAccess: true
223+ ` ` `
224+
225+ If this feature is disabled, the `adminAccess` field will be removed
226+ automatically when creating such a ResourceClaim.
227+
228+ Admin access is a privileged mode which should not be made available to normal
229+ users in a multi-tenant cluster. Cluster administrators can restrict usage of
230+ this features by installing a validating admission policy similar to
231+ [the in-tree example](https://github.com/kubernetes/kubernetes/blob/33ea278/test/e2e/dra/test-driver/deploy/example/admin-access-policy.yaml)
232+ when enabling this feature.
233+
203234# # ResourceClaim Device Status
204235
205236{{< feature-state feature_gate_name="DRAResourceClaimDeviceStatus" >}}
@@ -219,9 +250,9 @@ existing ResourceClaim where the `status.devices` field is set.
219250
220251# # Enabling dynamic resource allocation
221252
222- Dynamic resource allocation is an *alpha feature* and only enabled when the
253+ Dynamic resource allocation is a *beta feature* which is off by default and only enabled when the
223254` DynamicResourceAllocation` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
224- and the `resource.k8s.io/v1alpha3 ` {{< glossary_tooltip text="API group" term_id="api-group" >}}
255+ and the `resource.k8s.io/v1beta1 ` {{< glossary_tooltip text="API group" term_id="api-group" >}}
225256are enabled. For details on that, see the `--feature-gates` and `--runtime-config`
226257[kube-apiserver parameters](/docs/reference/command-line-tools-reference/kube-apiserver/).
227258kube-scheduler, kube-controller-manager and kubelet also need the feature gate.
@@ -258,6 +289,12 @@ include it.
258289In addition to enabling the feature in the cluster, a resource driver also has to
259290be installed. Please refer to the driver's documentation for details.
260291
292+ # ## Enabling admin access
293+
294+ Admin access is an *alpha feature* and only enabled when the
295+ ` DRAAdminAccess` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
296+ is enabled in the kube-apiserver and kube-scheduler.
297+
261298# ## Enabling Device Status
262299
263300[ResourceClaim Device Status](#resourceclaim-device-status) is an *alpha feature*
0 commit comments