DRA: add CEL cost limit

keps/sig-node/4381-dra-structured-parameters/README.md

@@ -1538,19 +1538,35 @@ type CELDeviceSelector struct {
     // same domain. For example:
     //
     //     cel.bind(dra, device.attributes["dra.example.com"], dra.someBool && dra.anotherBool)
+    //
+	// The length of the expression must be smaller or equal to 10 Ki. The
+	// cost of evaluating it is also limited based on the estimated number
+	// of logical steps. Validation against those limits happens only when
+	// setting an expression for the first time or when changing
+	// it. Therefore it is possible to change these limits without
+	// affecting stored expressions. Those remain valid.
     //
     // +required
     Expression string
 }
-```
 
-<<[UNRESOLVED pohly]>>
-
-Describe how CEL cost limits work.
+// CELSelectorExpressionMaxCost specifies the cost limit for a single CEL selector
+// evaluation.
+//
+// There is no overall budget for selecting a device, so the actual time
+// required for that is proportional to the number of CEL selectors and how
+// often they need to be evaluated, which can vary depending on several factors
+// (number of devices, cluster utilization, additional constraints).
+//
+// According to
+// https://github.com/kubernetes/kubernetes/blob/4aeaf1e99e82da8334c0d6dddd848a194cd44b4f/staging/src/k8s.io/apiserver/pkg/apis/cel/config.go#L20-L22,
+// this gives roughly 0.1 second for each expression evaluation.
+// However, this depends on how fast the machine is.
+const CELSelectorExpressionMaxCost = 1000000
 
-<<[/UNRESOLVED]>>
+// CELSelectorExpressionMaxLength is the maximum length of a CEL selector expression string.
+const CELSelectorExpressionMaxLength = 10 * 1024
 
-```yaml
 // DeviceConstraint must have exactly one field set besides Requests.
 type DeviceConstraint struct {
     // Requests is a list of the one or more requests in this claim which