1db11c07ff
As discussed during the KEP and code review of dynamic resource allocation for Kubernetes 1.26, to increase security kubelet should only get read access to those ResourceClaim objects that are needed by a pod on the node. This can be enforced easily by the node authorizer: - the names of the objects are defined by the pod status - there is no indirection as with volumes (pod -> pvc -> pv) Normally the graph only gets updated when a pod is not scheduled yet. Resource claim status changes can still happen after that, so they also must trigger an update. |
||
|---|---|---|
| .. | ||
| graph_populator.go | ||
| graph_test.go | ||
| graph.go | ||
| intset_test.go | ||
| intset.go | ||
| metrics.go | ||
| node_authorizer_test.go | ||
| node_authorizer.go | ||
| OWNERS | ||