5018 dra admin access (#49929)

* update DRA adminAccess docs for 1.33

Signed-off-by: Rita Zhang <[email protected]>

* address comments

Signed-off-by: Rita Zhang <[email protected]>

* address comments

Signed-off-by: Rita Zhang <[email protected]>

---------

Signed-off-by: Rita Zhang <[email protected]>

Author: ritazh

content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md

@@ -213,10 +213,10 @@ the `.spec.nodeName` field and to use a node selector instead.
 
 {{< feature-state feature_gate_name="DRAAdminAccess" >}}
 
-You can mark a request in a ResourceClaim or ResourceClaimTemplate as having privileged features.
-A request with admin access grants access to devices which are in use and
-may enable additional permissions when making the device available in a
-container:
+You can mark a request in a ResourceClaim or ResourceClaimTemplate as having
+privileged features for maintenance and troubleshooting tasks. A request with
+admin access grants access to in-use devices and may enable additional
+permissions when making the device available in a container:
 
 ```yaml
 apiVersion: resource.k8s.io/v1beta1
@@ -229,83 +229,19 @@ spec:
       requests:
       - name: req-0
         deviceClassName: resource.example.com
+        allocationMode: All
         adminAccess: true
 ```
 
 If this feature is disabled, the `adminAccess` field will be removed
 automatically when creating such a ResourceClaim.
 
-Admin access is a privileged mode which should not be made available to normal
-users in a multi-tenant cluster. Cluster administrators can restrict usage of
-this feature by installing a validating admission policy similar to the following
-example. Cluster administrators need to adapt at least the names and replace
-"dra.example.com".
-
-```yaml
-# Permission to use admin access is granted only in namespaces which have the
-# "admin-access.dra.example.com" label. Other ways of making that decision are
-# also possible.
-
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: resourceclaim-policy.dra.example.com
-spec:
-  failurePolicy: Fail
-  matchConstraints:
-    resourceRules:
-    - apiGroups:   ["resource.k8s.io"]
-      apiVersions: ["v1alpha3", "v1beta1"]
-      operations:  ["CREATE", "UPDATE"]
-      resources:   ["resourceclaims"]
-  validations:
-    - expression: '! object.spec.devices.requests.exists(e, has(e.adminAccess) && e.adminAccess)'
-      reason: Forbidden
-      messageExpression: '"admin access to devices not enabled"'
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: resourceclaim-binding.dra.example.com
-spec:
-  policyName:  resourceclaim-policy.dra.example.com
-  validationActions: [Deny]
-  matchResources:
-    namespaceSelector:
-      matchExpressions:
-      - key: admin-access.dra.example.com
-        operator: DoesNotExist
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: resourceclaimtemplate-policy.dra.example.com
-spec:
-  failurePolicy: Fail
-  matchConstraints:
-    resourceRules:
-    - apiGroups:   ["resource.k8s.io"]
-      apiVersions: ["v1alpha3", "v1beta1"]
-      operations:  ["CREATE", "UPDATE"]
-      resources:   ["resourceclaimtemplates"]
-  validations:
-    - expression: '! object.spec.spec.devices.requests.exists(e, has(e.adminAccess) && e.adminAccess)'
-      reason: Forbidden
-      messageExpression: '"admin access to devices not enabled"'
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: resourceclaimtemplate-binding.dra.example.com
-spec:
-  policyName:  resourceclaimtemplate-policy.dra.example.com
-  validationActions: [Deny]
-  matchResources:
-    namespaceSelector:
-      matchExpressions:
-      - key: admin-access.dra.example.com
-        operator: DoesNotExist
-```
+Admin access is a privileged mode and should not be granted to regular users in
+multi-tenant clusters. Starting with Kubernetes v1.33, only users authorized to
+create ResourceClaim or ResourceClaimTemplate objects in namespaces labeled with
+`resource.k8s.io/admin-access: "true"` (case-sensitive) can use the
+`adminAccess` field. This ensures that non-admin users cannot misuse the
+feature. 
 
 ## ResourceClaim Device Status
 

content/en/docs/reference/command-line-tools-reference/feature-gates/DRAAdminAccess.md

@@ -11,8 +11,12 @@ stages:
     fromVersion: "1.32"
 ---
 Enables support for requesting [admin access](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#admin-access)
-in a ResourceClaim. A ResourceClaim
-with admin access grants access to devices which are in use and may enable
-additional access permissions when making the device available in a container.
+in a ResourceClaim or a ResourceClaimTemplate. Admin access grants access to
+in-use devices and may enable additional permissions when making the device
+available in a container. Starting with Kubernetes v1.33, only users authorized
+to create ResourceClaim or ResourceClaimTemplate objects in namespaces labeled
+with `resource.k8s.io/admin-access: "true"` (case-sensitive) can use the
+`adminAccess` field. This ensures that non-admin users cannot misuse the
+feature. 
 
 This feature gate has no effect unless you also enable the `DynamicResourceAllocation` feature gate.

content/en/docs/reference/labels-annotations-taints/_index.md

@@ -2782,3 +2782,20 @@ Taint that kubeadm previously applied on control plane nodes to allow only criti
 workloads to schedule on them. Replaced by the
 [`node-role.kubernetes.io/control-plane`](#node-role-kubernetes-io-control-plane-taint)
 taint. kubeadm no longer sets or uses this deprecated taint.
+
+### resource.k8s.io/admin-access {resource-k8s-io-admin-access}
+
+Type: Label
+
+Example: `resource.k8s.io/admin-access: "true"`
+
+Used on: Namespace
+
+Used to grant administrative access to certain resource.k8s.io API types within
+a namespace. When this label is set on a namespace with the value `"true"`
+(case-sensitive), it allows the use of `adminAccess: true` in any namespaced
+`resource.k8s.io` API types. Currently, this permission applies to
+`ResourceClaim` and `ResourceClaimTemplate` objects.
+
+See [Dynamic Resource Allocation Admin access](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#enabling-admin-access)
+for more information.