Add validation for unsupported DRA features

[harche]

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR adds validation to reject DRA (Dynamic Resource Allocation) v1 API features that are enabled
by default in Kubernetes 1.34 but explicitly excluded from Kueue's DRA support scope per KEP-2941.

Without validation, Kueue silently ignores unsupported DRA features, leading to:

1. Silent admission failures - FirstAvailable workloads are admitted with 0 DRA resources, causing
   runtime failures
2. Misleading errors - 5 out of 6 unsupported features produce confusing "DeviceClass not mapped"
   errors instead of clear feature-not-supported messages
3. Poor UX - Users waste time debugging DeviceClass mappings when the actual issue is using
   unsupported features

Solution is to add early validation in pkg/dra/claims.go to explicitly reject all 6 enabled-by-default DRA features
that Kueue doesn't support:

GA Features:

• AllocationMode 'All'
• CEL Selectors
• Device Constraints
• Device Config

Beta Features (enabled by default in K8s 1.34):

• FirstAvailable (DRAPrioritizedList)
• AdminAccess (DRAAdminAccess)

Each feature now returns a clear, actionable error message like "FirstAvailable device selection is
not supported" instead of misleading DeviceClass mapping errors.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Kueue now properly validates and rejects unsupported DRA (Dynamic Resource Allocation) features with clear error messages instead of silently failing or producing misleading "DeviceClass not mapped" errors. Unsupported features include: AllocationMode 'All', CEL Selectors, Device Constraints, Device Config, FirstAvailable device selection, and AdminAccess.

[netlify]

✅ Deploy Preview for kubernetes-sigs-kueue canceled.

Name	Link
🔨 Latest commit	8de8f8c
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-kueue/deploys/68f659fe9cf72200082b1be9

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: harche
Once this PR has been reviewed and has the lgtm label, please assign gabesaba for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @harche. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mimowo]

/ok-to-test
@alaypatel07 would you like to give it a pass?

[kannon92]

/ok-to-test

/cc @alaypatel07

[alaypatel07]

Yes I'll take a look.

[alaypatel07]

can you please convert the entire if condition into a switch case handling all the unsupported features first before considering the valid supported case?

[harche]

Addressed, thanks.

[alaypatel07]

@harche why does this have to be nested ifs and switch cases? Can we work out a logic with one single switch case?

For example:

		switch {
		case req.FirstAvailable != nil:
		case req.Exactly != nil && len(req.Exactly.Selectors) > 0:
		// error
		case req.Exactly != nil && req.Exactly.AdminAccess != nil && *req.Exactly.AdminAccess:
		// error
		case req.Exactly != nil && req.Exactly.AllocationMode == DeviceAllocationModeAll:
		// error
		}

[harche]

@alaypatel07 I didn't want to repeat req.Exactly != nil, would something like following do?

switch {
		case req.FirstAvailable != nil:
			return nil, fmt.Errorf("%w: FirstAvailable device selection is not supported", ErrUnsupportedDRAFeature)
		case req.Exactly == nil:
			continue
		case len(req.Exactly.Selectors) > 0:
			return nil, fmt.Errorf("%w: CEL selectors are not supported", ErrUnsupportedDRAFeature)
		case req.Exactly.AdminAccess != nil && *req.Exactly.AdminAccess:
			return nil, fmt.Errorf("%w: AdminAccess is not supported", ErrUnsupportedDRAFeature)
		case req.Exactly.AllocationMode == resourcev1.DeviceAllocationModeAll:
			return nil, fmt.Errorf("%w: AllocationMode 'All' is not supported", ErrUnsupportedDRAFeature)
		case req.Exactly.AllocationMode == resourcev1.DeviceAllocationModeExactCount:
			dcName = req.Exactly.DeviceClassName
			q = req.Exactly.Count
		case req.Exactly.AllocationMode == "":
			dcName = req.Exactly.DeviceClassName
		default:
			return nil, fmt.Errorf("%w: unsupported allocation mode: %s", ErrUnsupportedDRAFeature, req.Exactly.AllocationMode)
		}

[harche]

Updated, let me know if that works, but I am open to changing it to repeated req.Exactly != nil.

[alaypatel07]

Nit: can we use a common error "UnsupportedDRAfeature" and then wrap a human readable error message to be returned from the function later.

I think we only need to have the following concrete error types:

1. ErrResourceClaimInUse and other
2. ErrClaimSpecNotFound
3. ErrUnsupportedDRAfeature

[harche]

Addressed, thanks.

[alaypatel07]

we should also update the integration tests for these errors at https://github.com/kubernetes-sigs/kueue/tree/main/test/integration/singlecluster/controller/dra

[harche]

Added integration tests.

[harche]

/test pull-kueue-test-e2e-multikueue-main

[harche]

@alaypatel07 I have updated the PR. Can you take another look? Thanks.

[alaypatel07]

can we use this opportunity to start using, https://github.com/kubernetes-sigs/kueue/blob/main/pkg/util/testing/wrappers.go#L623 and https://github.com/kubernetes-sigs/kueue/blob/main/pkg/util/testing/wrappers.go#L637?

I think this change is needed across all the test cases.

[harche]

Updated, thanks.

[alaypatel07]

I wonder if we can create a ResourceClaimWrapper to produce these templates/claims in utiltesting:

kueue/pkg/util/testing/wrappers.go

Line 422 in 5a6b10a

type PodSetWrapper struct{ kueue.PodSet }

it will be helpful in unit testing as well as integration tests

[harche]

Sounds like a great idea, but should we tackle this outside this PR? I can create a separate issue to look into it. I am afraid it might escalate the scope of this PR (which is just to harden the validation around unsupported DRA fields/features)

[harche]

Added the wrapper, https://github.com/kubernetes-sigs/kueue/pull/7226/files#diff-8c600775ee9d35183196effef13d4df7be756e077046325d17b6214b080cba2bR1823

[alaypatel07]

+1. IMHO, since this PR is adding all the permutations of creating resource slices with different features, this is the right moment to add the wrapper. I dont really think it expands the scope. Thanks for tackling that.

[alaypatel07]

This case is not needed, Kueue should assume that the defaults are set appropriately during resource admission: https://github.com/kubernetes/kubernetes/blob/f306bb14b4a288cd04c6ddad65a5a91bc1f665f8/pkg/apis/resource/v1/defaults.go#L32-L37.

[harche]

Addressed, thanks.

[alaypatel07]

nit: Instead of having separate structs for RCT and RC, there should be a common struct for ResourceClaimSpec and the With* functions use that struct to generate the spec. I think will remove a lot of duplication.

[harche]

Between ResourceClaimTemplateWrapper and ResourceClaimWrapper, there's now a shared ResourceClaimSpecBuilder that both wrappers use, let me know if that aligns with what you had in mind.

[harche]

cc @alaypatel07

[kannon92]

Please add a release note.

[harche]

Please add a release note.

Thanks, done.

[alaypatel07]

@harche I'm falling behind on reviews due to the upcoming KEP freeze. I'll take a look first thing tomorrow morning.

[harche]

@harche I'm falling behind on reviews due to the upcoming KEP freeze. I'll take a look first thing tomorrow morning.

No worries @alaypatel07 , take your time. This can wait until the KEP freeze deadline passes. Thanks for your valuable feedback.

[mimowo]

Actually could you please send a preaparatory non-functional PR just for the cleanup?

So that we don't mix cleanups with features or bugfixes.

It will make the diff here smaller for the ease of reviewing / focusing on the user-changing experience.

[harche]

Thanks @mimowo, I have brought this up earlier, #7226 (comment)

@alaypatel07 are you okay with splitting the refactoring of tests utils from this PR?

[alaypatel07]

@harche yes, I think what @mimowo is suggesting is little different from earlier conversation, instead of following up on the refactor, I think he wants the refactor to go in first as a separate PR, I am okay with that. Correct me if I am wrong.

[harche]

Thanks @alaypatel07 and @mimowo, I have raised #7300 to add wrapper for existing tests cases only.

We will deal with this PR once that one is merged.

/hold

[mimowo]

I merged the other PR already, please rebase, let me unhold in the meanwhile, it will not merge anyway while not rebased.
/unhold

[mimowo]

This looks very verbose and repeatable, can we replace it somehow with some default lookups maybe?

[harche]

Added a common defaultLookup function

[mimowo]

Instead of asserting true/false it is better to assert on specific validation error, please check https://github.com/kubernetes-sigs/kueue/blob/main/pkg/controller/jobs/jobset/jobset_webhook_test.go#L49

I know it was like this before, but I would like to use it as an occasion to cleanup

[harche]

Thanks, updated to assert exact error.

[harche]

/hold just like unit tests, the integration tests should also check for exact error.

[harche]

/hold just like unit tests, the integration tests should also check for exact error.

updated.

/unhold

[mimowo]

Do these need to be exposed? If not then unexport (lowercase)

[harche]

They are used in integration tests, besides that, I am not sure having errors exported causes any harm, future callers might be able to verify if the errors belongs to any of the DRA related errors.

[mimowo]

We can always export them later if needed. If they are unexported it is immediately obvious which are used or not outside the package for example during review in GH. Also, sometimes exported constants become unused but linters don't complain, so making them unused is easy to miss during review/ code changing.

[mimowo]

I would prefer to assert errors as we do here, using cmp.Diff:

kueue/pkg/controller/jobs/jobset/jobset_webhook_test.go

Lines 273 to 291 in 1fa1463

	wantErr: field.ErrorList{
	field.Invalid(field.NewPath("spec.replicatedJobs[0].template.spec.template.metadata.annotations"), field.OmitValueType{}, "must specify 'kueue.x-k8s.io/podset-required-topology' or 'kueue.x-k8s.io/podset-preferred-topology' topology consistent with 'spec.replicatedJobs[1].template.spec.template.metadata.annotations' in group 'groupname'"),
	field.Invalid(field.NewPath("spec.replicatedJobs[1].template.spec.template.metadata.annotations"), field.OmitValueType{}, "must specify 'kueue.x-k8s.io/podset-required-topology' or 'kueue.x-k8s.io/podset-preferred-topology' topology consistent with 'spec.replicatedJobs[0].template.spec.template.metadata.annotations' in group 'groupname'"),
	}.ToAggregate(),
	topologyAwareScheduling: true,
	},
	}
	for _, tc := range testcases {
	t.Run(tc.name, func(t *testing.T) {
	features.SetFeatureGateDuringTest(t, features.TopologyAwareScheduling, tc.topologyAwareScheduling)
	jsw := &JobSetWebhook{}
	ctx, _ := utiltesting.ContextWithLog(t)
	_, gotErr := jsw.ValidateCreate(ctx, tc.job)
	if diff := cmp.Diff(tc.wantErr, gotErr); diff != "" {
	t.Errorf("validateCreate() mismatch (-want +got):\n%s", diff)
	}

Would it work here? I'm not sure maybe it works better if the validation errors are using field.ErrorList type.

[harche]

The current tests use errors.Is, this is exactly what we want. IMO, achieving this in any other way would not be more optimal than simply using errors.Is.