From 27df75c577ab0e8a609e1bcbe48778aebcd6b3cf Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Tue, 5 Mar 2024 21:36:43 +0100
Subject: [PATCH] dra api: fix status updates

Changing object meta is not supposed to be possible via status updates. For
example, it circumvents RBAC permission checks.
---
 pkg/registry/resource/podschedulingcontext/strategy.go | 2 ++
 pkg/registry/resource/resourceclaim/strategy.go        | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/pkg/registry/resource/podschedulingcontext/strategy.go b/pkg/registry/resource/podschedulingcontext/strategy.go
index 0013b1ed3e87c..16d23baf628c2 100644
--- a/pkg/registry/resource/podschedulingcontext/strategy.go
+++ b/pkg/registry/resource/podschedulingcontext/strategy.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -125,6 +126,7 @@ func (podSchedulingStatusStrategy) PrepareForUpdate(ctx context.Context, obj, ol
 	newScheduling := obj.(*resource.PodSchedulingContext)
 	oldScheduling := old.(*resource.PodSchedulingContext)
 	newScheduling.Spec = oldScheduling.Spec
+	metav1.ResetObjectMetaForStatus(&newScheduling.ObjectMeta, &oldScheduling.ObjectMeta)
 }
 
 func (podSchedulingStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
diff --git a/pkg/registry/resource/resourceclaim/strategy.go b/pkg/registry/resource/resourceclaim/strategy.go
index 1b65e87ade6a8..75f4c7be73ca8 100644
--- a/pkg/registry/resource/resourceclaim/strategy.go
+++ b/pkg/registry/resource/resourceclaim/strategy.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -125,6 +126,7 @@ func (resourceclaimStatusStrategy) PrepareForUpdate(ctx context.Context, obj, ol
 	newClaim := obj.(*resource.ResourceClaim)
 	oldClaim := old.(*resource.ResourceClaim)
 	newClaim.Spec = oldClaim.Spec
+	metav1.ResetObjectMetaForStatus(&newClaim.ObjectMeta, &oldClaim.ObjectMeta)
 }
 
 func (resourceclaimStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {