rbac: add resourceclaims/binding for DRA granular status authorization

[cairon-ab]

Starting in Kubernetes v1.36, the DRAResourceClaimGranularStatusAuthorization feature gate (beta, on-by-default) enforces fine-grained authorization checks for ResourceClaim status updates.

Schedulers that modify status.allocation or status.reservedFor now require additional permissions on the resourceclaims/binding synthetic subresource with update and patch verbs.

This adds the required RBAC rule for the Volcano agent scheduler. The existing resourceclaims/status permission is still required and remains unchanged.

These new permissions are inert on Kubernetes versions prior to v1.36, so this is safe to merge now in preparation.

Ref: kubernetes/kubernetes#138149

[volcano-sh-bot]

Welcome @cairon-ab! It looks like this is your first PR to volcano-sh/agentcube 🎉

[Copilot]

Pull request overview

This PR adds RBAC permissions required for Kubernetes v1.36's DRAResourceClaimGranularStatusAuthorization feature, which enforces fine-grained authorization checks for ResourceClaim status updates by the Volcano agent scheduler.

Changes:

• Adds RBAC rule granting the Volcano agent scheduler update and patch permissions on the resourceclaims/binding synthetic subresource in the resource.k8s.io API group
• This permission is required in addition to the existing resourceclaims/status permission when the feature gate is enabled
• The change is backward compatible and inert on Kubernetes versions prior to v1.36

[gemini-code-assist]

Code Review

This pull request updates the RBAC configuration for the volcano-agent-scheduler by adding 'update' and 'patch' permissions for 'resourceclaims/binding' resources within the 'resource.k8s.io' API group. I have no feedback to provide.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.35%. Comparing base (845b798) to head (c31a984).
⚠️ Report is 151 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #259      +/-   ##
==========================================
+ Coverage   35.60%   43.35%   +7.74%     
==========================================
  Files          29       30       +1     
  Lines        2533     2611      +78     
==========================================
+ Hits          902     1132     +230     
+ Misses       1505     1358     -147     
+ Partials      126      121       -5     

Flag	Coverage Δ
unittests	43.35% <ø> (+7.74%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hzxuzhonghu]

@JesseStutler Does agent scheduler support DRA currently?

[JesseStutler]

@JesseStutler Does agent scheduler support DRA currently?

I think yes @hzxuzhonghu, we have already imported the DRA into predicates plugin, and the agent scheduler contains predicates plugin

[hzxuzhonghu]

/lgtm

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hzxuzhonghu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment