diff --git a/content/en/docs/proxy/reference.md b/content/en/docs/proxy/reference.md
index 4414c97..7b813d0 100644
--- a/content/en/docs/proxy/reference.md
+++ b/content/en/docs/proxy/reference.md
@@ -28,12 +28,14 @@ Resource Types:
GlobalProxySettings is the Schema for the globalproxysettings API.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
| **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
| **kind** | string | GlobalProxySettings | true |
| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#globalproxysettingsspec)** | object | GlobalProxySettingsSpec defines the desired state of GlobalProxySettings. | false |
+| **[spec](#globalproxysettingsspec)** | object |GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+| false |
### GlobalProxySettings.spec
@@ -42,9 +44,11 @@ GlobalProxySettings is the Schema for the globalproxysettings API.
GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[rules](#globalproxysettingsspecrulesindex)** | []object | Subjects that should receive additional permissions.
The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
However they must be part of the capsule-user groups. | true |
+| **[rules](#globalproxysettingsspecrulesindex)** | []object |Subjects that should receive additional permissions.
The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
However they must be part of the capsule-user groups.
+| true |
### GlobalProxySettings.spec.rules[index]
@@ -53,10 +57,13 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[subjects](#globalproxysettingsspecrulesindexsubjectsindex)** | []object | Subjects that should receive additional permissions.
The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
However they must be part of the capsule-user groups. | true |
-| **[clusterResources](#globalproxysettingsspecrulesindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
+| **[subjects](#globalproxysettingsspecrulesindexsubjectsindex)** | []object |Subjects that should receive additional permissions.
The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
However they must be part of the capsule-user groups.
+| true |
+| **[clusterResources](#globalproxysettingsspecrulesindexclusterresourcesindex)** | []object |Cluster Resources for tenant Owner.
+| false |
### GlobalProxySettings.spec.rules[index].subjects[index]
@@ -65,10 +72,13 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".
*Enum*: User, Group, ServiceAccount
| true |
-| **name** | string | Name of tenant owner. | true |
+| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".
*Enum*: User, Group, ServiceAccount
+| true |
+| **name** | string |Name of tenant owner.
+| true |
### GlobalProxySettings.spec.rules[index].clusterResources[index]
@@ -77,12 +87,17 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
-| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
-| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
-| **operations** | []enum | Operations which can be executed on the selected resources.
Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
| false |
+| **apiGroups** | []string |APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources.
+| true |
+| **resources** | []string |Resources is a list of resources this rule applies to. '*' represents all resources.
+| true |
+| **[selector](#globalproxysettingsspecrulesindexclusterresourcesindexselector)** | object |Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
+| true |
+| **operations** | []enum |Operations which can be executed on the selected resources.
Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
+| false |
### GlobalProxySettings.spec.rules[index].clusterResources[index].selector
@@ -92,10 +107,13 @@ GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#globalproxysettingsspecrulesindexclusterresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
-| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+| **[matchExpressions](#globalproxysettingsspecrulesindexclusterresourcesindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed.
+| false |
+| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
+| false |
### GlobalProxySettings.spec.rules[index].clusterResources[index].selector.matchExpressions[index]
@@ -105,11 +123,15 @@ Defining a selector which does not match any resources is considered not selecta
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **key** | string | key is the label key that the selector applies to. | true |
-| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
-| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+| **key** | string |key is the label key that the selector applies to.
+| true |
+| **operator** | string |operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
+| true |
+| **values** | []string |values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
+| false |
## ProxySetting
@@ -120,12 +142,14 @@ relates the key and values.
ProxySetting is the Schema for the proxysettings API.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
| **apiVersion** | string | capsule.clastix.io/v1beta1 | true |
| **kind** | string | ProxySetting | true |
| **[metadata](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)** | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
-| **[spec](#proxysettingspec)** | object | ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.
Resource is Namespace-scoped and applies the settings to the belonged Tenant. | false |
+| **[spec](#proxysettingspec)** | object |ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.
Resource is Namespace-scoped and applies the settings to the belonged Tenant.
+| false |
### ProxySetting.spec
@@ -135,9 +159,11 @@ ProxySetting is the Schema for the proxysettings API.
ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.
Resource is Namespace-scoped and applies the settings to the belonged Tenant.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[subjects](#proxysettingspecsubjectsindex)** | []object | Subjects that should receive additional permissions. | true |
+| **[subjects](#proxysettingspecsubjectsindex)** | []object |Subjects that should receive additional permissions.
+| true |
### ProxySetting.spec.subjects[index]
@@ -146,12 +172,17 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **kind** | enum | Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
*Enum*: User, Group, ServiceAccount
| true |
-| **name** | string | Name of tenant owner. | true |
-| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object | Cluster Resources for tenant Owner. | false |
-| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object | Proxy settings for tenant owner. | false |
+| **kind** | enum |Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
*Enum*: User, Group, ServiceAccount
+| true |
+| **name** | string |Name of tenant owner.
+| true |
+| **[clusterResources](#proxysettingspecsubjectsindexclusterresourcesindex)** | []object |Cluster Resources for tenant Owner.
+| false |
+| **[proxySettings](#proxysettingspecsubjectsindexproxysettingsindex)** | []object |Proxy settings for tenant owner.
+| false |
### ProxySetting.spec.subjects[index].clusterResources[index]
@@ -160,12 +191,17 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **apiGroups** | []string | APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. | true |
-| **resources** | []string | Resources is a list of resources this rule applies to. '*' represents all resources. | true |
-| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object | Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists). | true |
-| **operations** | []enum | Operations which can be executed on the selected resources.
Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
| false |
+| **apiGroups** | []string |APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources.
+| true |
+| **resources** | []string |Resources is a list of resources this rule applies to. '*' represents all resources.
+| true |
+| **[selector](#proxysettingspecsubjectsindexclusterresourcesindexselector)** | object |Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
+| true |
+| **operations** | []enum |Operations which can be executed on the selected resources.
Deprecated: For all registered Routes only LIST ang GET requests will intercepted
Other permissions must be implemented via kubernetes native RBAC
*Enum*: List, Update, Delete
+| false |
### ProxySetting.spec.subjects[index].clusterResources[index].selector
@@ -175,10 +211,13 @@ Resource is Namespace-scoped and applies the settings to the belonged Tenant.
Select all cluster scoped resources with the given label selector.
Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **[matchExpressions](#proxysettingspecsubjectsindexclusterresourcesindexselectormatchexpressionsindex)** | []object | matchExpressions is a list of label selector requirements. The requirements are ANDed. | false |
-| **matchLabels** | map[string]string | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. | false |
+| **[matchExpressions](#proxysettingspecsubjectsindexclusterresourcesindexselectormatchexpressionsindex)** | []object |matchExpressions is a list of label selector requirements. The requirements are ANDed.
+| false |
+| **matchLabels** | map[string]string |matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
+| false |
### ProxySetting.spec.subjects[index].clusterResources[index].selector.matchExpressions[index]
@@ -188,11 +227,15 @@ Defining a selector which does not match any resources is considered not selecta
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **key** | string | key is the label key that the selector applies to. | true |
-| **operator** | string | operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. | true |
-| **values** | []string | values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. | false |
+| **key** | string |key is the label key that the selector applies to.
+| true |
+| **operator** | string |operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
+| true |
+| **values** | []string |values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
+| false |
### ProxySetting.spec.subjects[index].proxySettings[index]
@@ -201,8 +244,11 @@ relates the key and values.
+
| **Name** | **Type** | **Description** | **Required** |
| :---- | :---- | :----------- | :-------- |
-| **kind** | enum |
*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes
| true |
-| **operations** | []enum |
*Enum*: List, Update, Delete
| true |
+| **kind** | enum |
*Enum*: Nodes, StorageClasses, IngressClasses, PriorityClasses, RuntimeClasses, PersistentVolumes
+| true |
+| **operations** | []enum |
*Enum*: List, Update, Delete
+| true |
diff --git a/content/en/docs/tenants/enforcement.md b/content/en/docs/tenants/enforcement.md
index 6c3909e..a3e211f 100644
--- a/content/en/docs/tenants/enforcement.md
+++ b/content/en/docs/tenants/enforcement.md
@@ -350,7 +350,59 @@ Any attempt of Alice to change the selector on the `Pods` will result in an erro
kubectl auth can-i edit ns -n solar-production
no
```
+### Dynamic resource allocation (DRA)
+Dynamic Resource Allocation (DRA) is a Kubernetes capability that allows Pods to request and use shared resources, typically external devices such as hardware accelerators.
+See [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/dynamic-resource-allocation/) for more information.
+Bill can assign a set of dedicated `DeviceClasses` to tell the `solar` `Tenant` what devices they can request.
+```yaml
+apiVersion: resource.k8s.io/v1
+kind: DeviceClass
+metadata:
+ name: gpu.example.com
+ labels:
+ env: "production"
+spec:
+ selectors:
+ - cel:
+ expression: device.driver == 'gpu.example.com' && device.attributes['gpu.example.com'].type
+ == 'gpu'
+ extendedResourceName: example.com/gpu
+```
+
+```yaml
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+ name: solar
+spec:
+ owners:
+ - name: alice
+ kind: User
+ deviceClasses:
+ matchLabels:
+ env: "production"
+```
+With the said Tenant specification, Alice can create a ResourceClaim or ResourceClaimTemplate resource if spec.devices.requests[].deviceClassName ( ResourceClaim) or spec.spec.devices.requests[].deviceClassName ( ResourceClaimTemplate) equals to:
+
+* Any DeviceClass, which has the label env with the value production
+
+If any of the devices in the ResourceClaim or ResourceClaimTemplate spec is going to use a non-allowed DeviceClass, the entire request will be rejected by the Validation Webhook enforcing it.
+
+Alice now can create a ResourceClaim using only an allowed DeviceClass:
+```yaml
+apiVersion: resource.k8s.io/v1
+kind: ResourceClaim
+metadata:
+ name: example-resource-claim
+ namespace: solar-production
+spec:
+ devices:
+ requests:
+ - name: gpu-request
+ exactly:
+ deviceClassName: 'gpu.example.com'
+```
## Connectivity
### Services
diff --git a/content/en/docs/whats-new.md b/content/en/docs/whats-new.md
index 000bd8a..aa434ab 100644
--- a/content/en/docs/whats-new.md
+++ b/content/en/docs/whats-new.md
@@ -19,6 +19,8 @@ weight: 1
* Delegate Administrators for capsule tenants. Administrators have full control (ownership) over all tenants and their namespaces. [Read More](/docs/operating/architecture/#capsule-administrators)
+* Added Dynamic Resource Allocation (DRA) support. Administrators can now assign allowed DeviceClasses to tenant owners. [Read More](/docs/tenants/enforcement/#dynamic-resource-allocation-dra)
+
* All available Classes for a tenant (StorageClasses, GatewayClasses, RuntimeClasses, PriorityClasses, DeviceClasses) are now reported in the Tenant Status. These values can be used by Admission to integrate other resources validation or by external systems for reporting purposes ([Example](/docs/operating/admission-policies/#class-validation)).
```yaml