update with tim suggestions

aojea · aojea · commit 8df4df1ffa2f · 2026-04-07T16:39:06.000Z
diff --git a/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md b/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md
@@ -383,7 +383,10 @@ DRA drivers can report driver-specific
 data for each allocated device in the `status.devices` field of a ResourceClaim.
 For example, the driver might list the IP addresses that are assigned to a
 network interface device. Updating this field requires specific synthetic RBAC permissions,
-see [Granular status authorization](#granular-status-authorization) for details.
+see
+[Hardening Guide - Dynamic Resource Allocation](/docs/concepts/security/hardening-guide/dynamic-resource-allocation/)
+and
+[Harden Dynamic Resource Allocation in Your Cluster](/docs/tasks/administer-cluster/hardening-dra/).
 
 The accuracy of the information that a driver adds to a ResourceClaim
 `status.devices` field depends on the driver. Evaluate drivers to decide whether
@@ -507,61 +510,14 @@ in the kube-apiserver, kube-scheduler, and kubelet.
 {{< feature-state feature_gate_name="DRAResourceClaimGranularStatusAuthorization" >}}
 
 Starting in Kubernetes v1.36, DRA enforces fine-grained authorization checks for updates
-to a `ResourceClaim`'s status. In addition to granting `update` permissions on the
-`resourceclaims/status` subresource, cluster administrators must grant permissions on
-specific "synthetic" subresources based on the exact fields a component needs to modify.
-This enforces the principle of least privilege between the scheduler, custom controllers,
-and DRA drivers.
-
-The authorization checks are divided into two synthetic subresources:
-
-- **`resourceclaims/binding`**: Required to modify `status.allocation` or `status.reservedFor`. 
-his permission is typically granted to the Kubernetes scheduler and custom allocation controllers.
-It requires standard `update` or `patch` verbs.
-
-- **`resourceclaims/driver`**: Required to modify `status.devices`. This check is performed per-driver
-and uses custom node-aware verb prefixes to prevent node-local drivers from tampering with devices on
-other nodes.
+to `ResourceClaim` status by using synthetic subresources and node-aware verbs.
 
-  - **`associated-node:<verb>`** (e.g., `associated-node:update`): Required for node-local drivers.
-  The API server automatically verifies that the ServiceAccount making the request is securely
-  associated with the node where the claim is allocated.
-  - **`arbitrary-node:<verb>`** (e.g., `arbitrary-node:update`): Required for control-plane drivers
-  or network controllers that manage device statuses across multiple nodes.
+For security hardening guidance, including RBAC examples for scheduler and DRA
+drivers, see
+[Hardening Guide - Dynamic Resource Allocation](/docs/concepts/security/hardening-guide/dynamic-resource-allocation/).
 
-**Example RBAC for a Node-Local Driver:**
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: example-dra-node-driver
-rules:
-  - apiGroups: ["resource.k8s.io"]
-    resources: ["resourceclaims/status"]
-    verbs: ["get", "patch", "update"]
-  - apiGroups: ["resource.k8s.io"]
-    resources: ["resourceclaims/driver"]
-    verbs: ["associated-node:update", "associated-node:patch"]
-    resourceNames: ["dra.example.com"] # Limit to a specific driver
-```
-
-**Example RBAC for a multi-node status controller:**
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: example-dra-status-controller
-rules:
-  - apiGroups: ["resource.k8s.io"]
-    resources: ["resourceclaims/status"]
-    verbs: ["get", "patch", "update"]
-  - apiGroups: ["resource.k8s.io"]
-    resources: ["resourceclaims/driver"]
-    verbs: ["arbitrary-node:update", "arbitrary-node:patch"]
-    resourceNames: ["dra.example.com"] # Limit to a specific driver
-```
+For a step-by-step cluster administrator procedure, see
+[Harden Dynamic Resource Allocation in Your Cluster](/docs/tasks/administer-cluster/hardening-dra/).
 
 ## DRA alpha features {#alpha-features}
 
diff --git a/content/en/docs/concepts/security/hardening-guide/dynamic-resource-allocation.md b/content/en/docs/concepts/security/hardening-guide/dynamic-resource-allocation.md
@@ -0,0 +1,116 @@
+---
+title: "Hardening Guide - Dynamic Resource Allocation"
+description: >
+  Information about hardening Dynamic Resource Allocation (DRA) authorization and access patterns.
+content_type: concept
+weight: 90
+---
+
+<!-- overview -->
+
+Dynamic Resource Allocation (DRA) adds powerful scheduling and device management
+capabilities. Because DRA components update `ResourceClaim` status, cluster
+administrators should configure authorization for those updates with explicit,
+least-privilege RBAC.
+
+{{< feature-state feature_gate_name="DRAResourceClaimGranularStatusAuthorization" >}}
+
+Starting in Kubernetes v1.36, DRA status updates use synthetic subresources and,
+in some cases, specialized node-aware verbs.
+
+<!-- body -->
+
+## Harden DRA status update permissions
+
+For DRA status updates,In addition to granting `update` permissions on the
+`resourceclaims/status` subresource, cluster administrators must grant permissions on
+specific "synthetic" subresources based on the exact fields a component needs to modify.
+This enforces the principle of least privilege between the scheduler, custom controllers,
+and DRA drivers.
+
+The DRA authorization checks are divided into two synthetic subresources:
+
+- **`resourceclaims/binding`**
+  - Required to modify `status.allocation` and `status.reservedFor`.
+  - Typically granted to the kube-scheduler and custom allocation controllers.
+  - Uses standard `update` and `patch` verbs.
+- **`resourceclaims/driver`**
+  - Required to modify `status.devices`.
+  - This check is performed per-driver to drivers from tampering with devices on different
+  nodes and/or from other drivers.
+  - Uses node-aware verbs for stricter scope.
+
+## Node-aware DRA verbs
+
+When authorizing updates to `resourceclaims/driver`, use the appropriate
+specialized verb prefix:
+
+- **`associated-node:<verb>`** (for example, `associated-node:update`)
+  - For node-local drivers.
+  - The API server verifies node association for the requesting driver.
+- **`arbitrary-node:<verb>`** (for example, `arbitrary-node:patch`)
+  - For control-plane or multi-node controllers that may update claims from
+    any node.
+
+## Example RBAC patterns
+
+### Scheduler and allocation controller permissions
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dra-binding-updater
+rules:
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/binding"]
+    verbs: ["patch", "update"]
+```
+
+### Node-local DRA driver permissions
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dra-node-driver-status-updater
+rules:
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/driver"]
+    verbs: ["associated-node:patch", "associated-node:update"]
+    resourceNames: ["dra.example.com"]
+```
+
+### Multi-node status controller permissions
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dra-multinode-status-updater
+rules:
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/driver"]
+    verbs: ["arbitrary-node:patch", "arbitrary-node:update"]
+    resourceNames: ["dra.example.com"]
+```
+
+## Related cluster administrator task
+
+To apply these patterns in a running cluster, see
+[Harden Dynamic Resource Allocation in Your Cluster](/docs/tasks/administer-cluster/hardening-dra/).
+
+## {{% heading "whatsnext" %}}
+
+- [Authorization](/docs/reference/access-authn-authz/authorization/)
+- [Set Up DRA in a Cluster](/docs/tasks/configure-pod-container/assign-resources/set-up-dra-cluster/)
+- [Dynamic Resource Allocation](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/)
diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md
@@ -64,7 +64,7 @@ Kubernetes reviews only the following API request attributes:
  * **API request verb** - API verbs like `get`, `list`, `create`, `update`, `patch`, `watch`, `delete`, and `deletecollection` are used for resource requests. To determine the request verb for a resource API endpoint, see [request verbs and authorization](/docs/reference/access-authn-authz/authorization/#determine-the-request-verb).
  * **HTTP request verb** - Lowercased HTTP methods like `get`, `post`, `put`, and `delete` are used for non-resource requests.
  * **Resource** - The ID or name of the resource that is being accessed (for resource requests only) -- For resource requests using `get`, `update`, `patch`, and `delete` verbs, you must provide the resource name.
- * **Subresource** - The subresource that is being accessed (for resource requests only).
+ * **Subresource** - The subresource that is being accessed (for resource requests only). This can be a standard subresource (for example, `status` or `scale`) or a synthetic subresource used for fine-grained authorization.
  * **Namespace** - The namespace of the object that is being accessed (for namespaced resource requests only).
  * **API group** - The {{< glossary_tooltip text="API Group" term_id="api-group" >}} being accessed (for resource requests only). An empty string designates the _core_ [API group](/docs/reference/using-api/#api-groups).
 
@@ -104,6 +104,9 @@ Kubernetes sometimes checks authorization for additional permissions using speci
   * **approve** verb for CertificateSigningRequests, and **update** for revisions to existing approvals
 * [RBAC](/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)
   * **bind** and **escalate** verbs on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
+* [Dynamic Resource Allocation (DRA)](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/)
+  * Synthetic subresources such as `resourceclaims/binding` and `resourceclaims/driver` in the `resource.k8s.io` API group.
+  * Node-aware verbs such as `associated-node:update`, `associated-node:patch`, `arbitrary-node:update`, and `arbitrary-node:patch` for DRA driver `resourceclaims/status` updates.
 
 ## Authorization context
 
diff --git a/content/en/docs/tasks/administer-cluster/hardening-dra.md b/content/en/docs/tasks/administer-cluster/hardening-dra.md
@@ -0,0 +1,112 @@
+---
+title: Harden Dynamic Resource Allocation in Your Cluster
+content_type: task
+weight: 330
+---
+
+<!-- overview -->
+
+This page shows cluster administrators how to harden authorization for
+Dynamic Resource Allocation (DRA), with a focus on least-privilege access for
+`ResourceClaim` status updates.
+
+<!-- prerequisites -->
+
+## {{% heading "prerequisites" %}}
+
+- {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+- Dynamic Resource Allocation is configured in your cluster.
+- You can edit RBAC resources and restart or roll out DRA components.
+
+<!-- steps -->
+
+## Identify DRA components that write status
+
+Document which identities (usually ServiceAccounts) update ResourceClaim
+status in your cluster. Typical writers are:
+
+- kube-scheduler or a custom allocation controller
+- node-local DRA drivers
+- multi-node DRA status controllers
+
+## Grant least-privilege permissions for synthetic subresources
+
+Starting in Kubernetes v1.36, DRA status updates require synthetic subresource
+permissions in addition to `resourceclaims/status`.
+
+### Grant scheduler and allocation-controller permissions
+
+Apply a role that allows binding-related updates:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dra-binding-updater
+rules:
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/binding"]
+    verbs: ["patch", "update"]
+```
+
+### Grant node-local driver permissions
+
+Use node-aware verbs for node-local drivers:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dra-node-driver-status-updater
+rules:
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/driver"]
+    verbs: ["associated-node:patch", "associated-node:update"]
+    resourceNames: ["dra.example.com"]
+```
+
+### Grant multi-node controller permissions only when needed
+
+Use `arbitrary-node:*` only for components that must update from any node:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dra-multinode-status-updater
+rules:
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["resource.k8s.io"]
+    resources: ["resourceclaims/driver"]
+    verbs: ["arbitrary-node:patch", "arbitrary-node:update"]
+    resourceNames: ["dra.example.com"]
+```
+
+## Bind roles to explicit identities
+
+Create `ClusterRoleBinding` objects for each component identity, and avoid
+sharing a broad role across unrelated DRA components.
+
+Restrict `resourceclaims/driver` rules with `resourceNames` where possible so
+an identity can only write status for the specific DRA driver it operates.
+
+## Validate and monitor
+
+1. Verify each identity has only the required verbs and subresources.
+1. Confirm DRA status updates work after rollout.
+1. Watch API server audit events for denied `resourceclaims/binding` and
+   `resourceclaims/driver` requests.
+
+## {{% heading "whatsnext" %}}
+
+- [Hardening Guide - Dynamic Resource Allocation](/docs/concepts/security/hardening-guide/dynamic-resource-allocation/)
+- [Securing a Cluster](/docs/tasks/administer-cluster/securing-a-cluster/)
+- [Authorization](/docs/reference/access-authn-authz/authorization/)
diff --git a/content/en/docs/tasks/administer-cluster/securing-a-cluster.md b/content/en/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -70,6 +70,14 @@ to prevent accidental escalation. You can make roles specific to your use case i
 
 Consult the [authorization reference section](/docs/reference/access-authn-authz/authorization/) for more information.
 
+If your cluster uses [Dynamic Resource Allocation (DRA)](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/),
+review DRA synthetic subresource authorization (`resourceclaims/binding` and
+`resourceclaims/driver`) and grant only the minimum required verbs to each
+component. For details, see
+[Hardening Guide - Dynamic Resource Allocation](/docs/concepts/security/hardening-guide/dynamic-resource-allocation/)
+and
+[Harden Dynamic Resource Allocation in Your Cluster](/docs/tasks/administer-cluster/hardening-dra/).
+
 ## Controlling access to the Kubelet
 
 Kubelets expose HTTPS endpoints which grant powerful control over the node and containers.
