DRA: document beta

As part of promoting the core DRA to beta, the admin access feature gate was
added to keep that aspect as alpha.
pull/48330/head
Patrick Ohly 2024-10-14 08:27:40 +02:00
parent ee231f71d7
commit 977df6e638
3 changed files with 64 additions and 5 deletions

View File

@ -39,7 +39,7 @@ v{{< skew currentVersion>}}, check the documentation for that version of Kuberne
## API ## API
The `resource.k8s.io/v1alpha3` The `resource.k8s.io/v1beta1`
{{< glossary_tooltip text="API group" term_id="api-group" >}} provides these types: {{< glossary_tooltip text="API group" term_id="api-group" >}} provides these types:
ResourceClaim ResourceClaim
@ -85,7 +85,7 @@ Here is an example for a fictional resource driver. Two ResourceClaim objects
will get created for this Pod and each container gets access to one of them. will get created for this Pod and each container gets access to one of them.
```yaml ```yaml
apiVersion: resource.k8s.io/v1alpha3 apiVersion: resource.k8s.io/v1beta1
kind: DeviceClass kind: DeviceClass
name: resource.example.com name: resource.example.com
spec: spec:
@ -93,7 +93,7 @@ spec:
- cel: - cel:
expression: device.driver == "resource-driver.example.com" expression: device.driver == "resource-driver.example.com"
--- ---
apiVersion: resource.k8s.io/v1alpha2 apiVersion: resource.k8s.io/v1beta1
kind: ResourceClaimTemplate kind: ResourceClaimTemplate
metadata: metadata:
name: large-black-cat-claim-template name: large-black-cat-claim-template
@ -200,6 +200,37 @@ spec:
You may also be able to mutate the incoming Pod, at admission time, to unset You may also be able to mutate the incoming Pod, at admission time, to unset
the `.spec.nodeName` field and to use a node selector instead. the `.spec.nodeName` field and to use a node selector instead.
## Admin access
{{< feature-state feature_gate_name="DRAAdminAccess" >}}
A ResourceClaim with admin access grants access to devices which are in use and
may enable additional permissions when making the device available in a
container:
```yaml
apiVersion: resource.k8s.io/v1beta1
kind: ResourceClaimTemplate
metadata:
name: large-black-cat-claim-template
spec:
spec:
devices:
requests:
- name: req-0
deviceClassName: resource.example.com
adminAccess: true
```
If this feature is disabled, the `adminAccess` field will be removed
automatically when creating such a ResourceClaim.
Admin access is a privileged mode which should not be made available to normal
users in a multi-tenant cluster. Cluster administrators can restrict usage of
this features by installing a validating admission policy similar to
[the in-tree example](https://github.com/kubernetes/kubernetes/blob/33ea278/test/e2e/dra/test-driver/deploy/example/admin-access-policy.yaml)
when enabling this feature.
## ResourceClaim Device Status ## ResourceClaim Device Status
{{< feature-state feature_gate_name="DRAResourceClaimDeviceStatus" >}} {{< feature-state feature_gate_name="DRAResourceClaimDeviceStatus" >}}
@ -219,9 +250,9 @@ existing ResourceClaim where the `status.devices` field is set.
## Enabling dynamic resource allocation ## Enabling dynamic resource allocation
Dynamic resource allocation is an *alpha feature* and only enabled when the Dynamic resource allocation is a *beta feature* which is off by default and only enabled when the
`DynamicResourceAllocation` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) `DynamicResourceAllocation` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
and the `resource.k8s.io/v1alpha3` {{< glossary_tooltip text="API group" term_id="api-group" >}} and the `resource.k8s.io/v1beta1` {{< glossary_tooltip text="API group" term_id="api-group" >}}
are enabled. For details on that, see the `--feature-gates` and `--runtime-config` are enabled. For details on that, see the `--feature-gates` and `--runtime-config`
[kube-apiserver parameters](/docs/reference/command-line-tools-reference/kube-apiserver/). [kube-apiserver parameters](/docs/reference/command-line-tools-reference/kube-apiserver/).
kube-scheduler, kube-controller-manager and kubelet also need the feature gate. kube-scheduler, kube-controller-manager and kubelet also need the feature gate.
@ -258,6 +289,12 @@ include it.
In addition to enabling the feature in the cluster, a resource driver also has to In addition to enabling the feature in the cluster, a resource driver also has to
be installed. Please refer to the driver's documentation for details. be installed. Please refer to the driver's documentation for details.
### Enabling admin access
Admin access is an *alpha feature* and only enabled when the
`DRAAdminAccess` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
is enabled in the kube-apiserver and kube-scheduler.
### Enabling Device Status ### Enabling Device Status
[ResourceClaim Device Status](#resourceclaim-device-status) is an *alpha feature* [ResourceClaim Device Status](#resourceclaim-device-status) is an *alpha feature*

View File

@ -0,0 +1,18 @@
---
title: DRAAdminAccess
content_type: feature_gate
_build:
list: never
render: false
stages:
- stage: alpha
defaultValue: false
fromVersion: "1.32"
---
Enables support for requesting [admin access](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#admin-access)
in a ResourceClaim. A ResourceClaim
with admin access grants access to devices which are in use and may enable
additional access permissions when making the device available in a container.
Has no effect unless DynamicResourceAllocation is also enabled.

View File

@ -9,6 +9,10 @@ stages:
- stage: alpha - stage: alpha
defaultValue: false defaultValue: false
fromVersion: "1.30" fromVersion: "1.30"
toVersion: "1.31"
- stage: beta
defaultValue: false
fromVersion: "1.32"
--- ---
Enables support for resources with custom parameters and a lifecycle Enables support for resources with custom parameters and a lifecycle
that is independent of a Pod. Allocation of resources is handled that is independent of a Pod. Allocation of resources is handled