Update deployment for Kubernetes 1.31

deployments/helm/dra-example-driver/templates/clusterrole.yaml

@@ -5,9 +5,12 @@ metadata:
   name: {{ include "dra-example-driver.fullname" . }}-role
   namespace: {{ include "dra-example-driver.namespace" . }}
 rules:
-- apiGroups:
-  - ""
-  - resource.k8s.io
-  - gpu.resource.example.com
-  resources: ["*"]
-  verbs: ["*"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaims"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceslices"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

deployments/helm/dra-example-driver/templates/validatingadmissionpolicy.admin.yaml

@@ -0,0 +1,45 @@
+# This example shows how to use a validating admission policy (VAP)
+# to control who may use "admin access", a privileged mode which
+# grants access to devices which are currently in use, potentially
+# by some other user.
+#
+# The policy applies in any namespace which does not have the
+# "admin-access-dra-example-driver" label.
+# Other ways of making that decision are also possible.
+#
+# Cluster administrators need to adapt at least the names and replace
+# "dra-example-driver.fullname".
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: resourceclaim-policy-{{ include "dra-example-driver.fullname" . }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["resource.k8s.io"]
+      apiVersions: ["v1alpha3"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["resourceclaims"]
+  validations:
+    - expression: '! object.spec.devices.requests.exists(e, has(e.adminAccess) && e.adminAccess)'
+      reason: Forbidden
+      messageExpression: '"admin access to devices not enabled"'
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: resourceclaimtemplate-policy-{{ include "dra-example-driver.fullname" . }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["resource.k8s.io"]
+      apiVersions: ["v1alpha3"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["resourceclaimtemplates"]
+  validations:
+    - expression: '! object.spec.spec.devices.requests.exists(e, has(e.adminAccess) && e.adminAccess)'
+      reason: Forbidden
+      messageExpression: '"admin access to devices not enabled"'

deployments/helm/dra-example-driver/templates/validatingadmissionpolicy.yaml

@@ -0,0 +1,31 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: resourceslices-policy-{{ include "dra-example-driver.fullname" . }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["resource.k8s.io"]
+      apiVersions: ["v1alpha3"]
+      operations:  ["CREATE", "UPDATE", "DELETE"]
+      resources:   ["resourceslices"]
+  matchConditions:
+  - name: isRestrictedUser
+    expression: >-
+      request.userInfo.username == "system:serviceaccount:{{ include "dra-example-driver.namespace" . }}:{{ include "dra-example-driver.serviceAccountName" . }}"
+  variables:
+  - name: userNodeName
+    expression: >-
+      request.userInfo.extra[?'authentication.kubernetes.io/node-name'][0].orValue('')
+  - name: objectNodeName
+    expression: >-
+      (request.operation == "DELETE" ? oldObject : object).spec.?nodeName.orValue("")
+  validations:
+  - expression: variables.userNodeName != ""
+    message: >-
+      no node association found for user, this user must run in a pod on a node and ServiceAccountTokenPodNodeInfo must be enabled
+  - expression: variables.userNodeName == variables.objectNodeName
+    messageExpression: >-
+      "this user running on node '"+variables.userNodeName+"' may not modify " +
+      (variables.objectNodeName == "" ?"cluster resourceslices" : "resourceslices on node '"+variables.objectNodeName+"'")

deployments/helm/dra-example-driver/templates/validatingadmissionpolicybinding.admin.yaml

@@ -0,0 +1,37 @@
+# This example shows how to use a validating admission policy (VAP)
+# to control who may use "admin access", a privileged mode which
+# grants access to devices which are currently in use, potentially
+# by some other user.
+#
+# The policy applies in any namespace which does not have the
+# "admin-access-dra-example-driver" label.
+# Other ways of making that decision are also possible.
+#
+# Cluster administrators need to adapt at least the names and replace
+# "dra-example-driver".
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: resourceclaim-binding-{{ include "dra-example-driver.fullname" . }}
+spec:
+  policyName: resourceclaim-policy-{{ include "dra-example-driver.fullname" . }}
+  validationActions: [Deny]
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: admin-access-{{ include "dra-example-driver.fullname" . }}
+        operator: DoesNotExist
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: resourceclaimtemplate-binding-{{ include "dra-example-driver.fullname" . }}
+spec:
+  policyName:  resourceclaimtemplate-policy-{{ include "dra-example-driver.fullname" . }}
+  validationActions: [Deny]
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: admin-access-{{ include "dra-example-driver.fullname" . }}
+        operator: DoesNotExist

deployments/helm/dra-example-driver/templates/validatingadmissionpolicybinding.yaml

@@ -0,0 +1,8 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: resourceslices-policy-{{ include "dra-example-driver.fullname" . }}
+spec:
+  policyName: resourceslices-policy-{{ include "dra-example-driver.fullname" . }}
+  validationActions: [Deny]
+  # All ResourceSlices are matched.