diff --git a/deployments/helm/k8s-dra-driver/templates/clusterrole.yaml b/deployments/helm/k8s-dra-driver/templates/clusterrole.yaml index a060eebce..cf1679fbc 100644 --- a/deployments/helm/k8s-dra-driver/templates/clusterrole.yaml +++ b/deployments/helm/k8s-dra-driver/templates/clusterrole.yaml @@ -5,10 +5,15 @@ metadata: name: {{ include "k8s-dra-driver.fullname" . }}-role namespace: {{ include "k8s-dra-driver.namespace" . }} rules: -- apiGroups: - - "" - - apps - - resource.k8s.io - - gpu.nvidia.com - resources: ["*"] - verbs: ["*"] +- apiGroups: ["resource.k8s.io"] + resources: ["resourceclaims"] + verbs: ["get"] +- apiGroups: ["resource.k8s.io"] + resources: ["resourceclaims/status"] + verbs: ["update"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] +- apiGroups: ["resource.k8s.io"] + resources: ["resourceslices"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..82c3bab5f --- /dev/null +++ b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: resourceslices-policy-{{ include "k8s-dra-driver.fullname" . }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["resource.k8s.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["resourceslices"] + matchConditions: + - name: isRestrictedUser + expression: >- + request.userInfo.username == "system:serviceaccount:{{ include "k8s-dra-driver.namespace" . }}:{{ include "k8s-dra-driver.serviceAccountName" . }}" + variables: + - name: userNodeName + expression: >- + request.userInfo.extra[?'authentication.kubernetes.io/node-name'][0].orValue('') + - name: objectNodeName + expression: >- + (request.operation == "DELETE" ? oldObject : object).spec.?nodeName.orValue("") + - name: nodeSelectorValue + expression: >- + (request.operation == "DELETE" ? oldObject : object).spec.nodeSelector.nodeSelectorTerms[0].matchExpressions[0].values[0].orValue("") + validations: + - expression: variables.userNodeName != "" + message: >- + no node association found for user, this user must run in a pod on a node and ServiceAccountTokenPodNodeInfo must be enabled + - expression: variables.userNodeName == variables.objectNodeName || variables.nodeSelectorValue != "" + messageExpression: >- + "this user running on node '"+variables.userNodeName+"' may not modify cluster or node resourceslices" diff --git a/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicybinding.yaml b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..2a668b697 --- /dev/null +++ b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicybinding.yaml @@ -0,0 +1,8 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: resourceslices-policy-{{ include "k8s-dra-driver.fullname" . }} +spec: + policyName: resourceslices-policy-{{ include "k8s-dra-driver.fullname" . }} + validationActions: [Deny] + # All ResourceSlices are matched.