Skip to content

Commit a4d5483

Browse files
ritazhritazh
committed
address comments
Signed-off-by: Rita Zhang <[email protected]>
1 parent 03b2978 commit a4d5483

File tree

1 file changed

+8
-10
lines changed

1 file changed

+8
-10
lines changed

keps/sig-node/5018-dra-adminaccess/README.md

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -187,11 +187,10 @@ objects as privileged. This feature includes:
187187

188188
1. Grants privileged access to the requested device:
189189

190-
For requests with `adminAccess: true`, the DRA controller bypasses standard
190+
For requests with `adminAccess: true`, the scheduler bypasses standard
191191
allocation checks and allows administrators to access devices already in use.
192192
This ensures privileged tasks like monitoring or diagnostics can be performed
193-
without disrupting existing allocations. The controller also logs and audits
194-
admin-access requests for security and traceability.
193+
without disrupting existing allocations.
195194

196195
1. No impact on availability of claims:
197196

@@ -245,7 +244,7 @@ type DeviceRequest struct {
245244
//
246245
// +optional
247246
// +featureGate=DRAAdminAccess
248-
AdminAccess *bool `json:"adminAccess,omitempty" protobuf:"bytes,6,opt,name=adminAccess"`
247+
AdminAccess *bool
249248
}
250249
```
251250

@@ -285,13 +284,12 @@ admin namespace label.
285284
### Kube-controller-manager Changes
286285

287286
In pkg/controller/resourceclaim/controller.go, process `ResourceClaim` in
288-
`syncClaim` function to check for the `adminAccess` field and bypass standard
289-
allocation checks if `adminAccess: true` and log it for security and
290-
traceability.
287+
`syncClaim` function to check for the `adminAccess` field and the feature gate
288+
enablement to ensure the field can be set.
291289

292290
// TODO: what part of claim.Status.Allocation should be updated? e.g.
293-
AdminAccess is part of DeviceRequestAllocationResult but need to set it for each
294-
device?
291+
AdminAccess is part of `DeviceRequestAllocationResult` but need to set it for
292+
each device?
295293

296294
In pkg/controller/resourceclaim/controller.go, process requests in `handleClaim`
297295
function to prevent creation of `ResourceClaim` when the `ResourceClaimTemplate`
@@ -301,7 +299,7 @@ has the `adminAccess` field while the feature gate is turned off.
301299

302300
In pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go, handle
303301
claims with `adminAccess` to ensure devices allocated with `adminAccess` are
304-
skipped without invoking the callback.
302+
skipped without invoking the callback bypassing standard allocation checks.
305303

306304
### ResourceQuota
307305

0 commit comments

Comments
 (0)