mirror of
https://github.com/kubernetes/client-go.git
synced 2025-12-26 06:32:27 +00:00
Add CSI driver opt-in for service account tokens via secrets field
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 30a6d4b389a6c6b10c5bd136216b47e55da3f18a
This commit is contained in:
Anish Ramasekar
committed by
Kubernetes Publisher
Kubernetes Publisher
parent
4953849642
commit
75128a8d3d
@@ -15024,6 +15024,9 @@ var schemaYAML = typed.YAMLObject(`types:
|
||||
- name: seLinuxMount
|
||||
type:
|
||||
scalar: boolean
|
||||
- name: serviceAccountTokenInSecrets
|
||||
type:
|
||||
scalar: boolean
|
||||
- name: storageCapacity
|
||||
type:
|
||||
scalar: boolean
|
||||
@@ -15430,6 +15433,9 @@ var schemaYAML = typed.YAMLObject(`types:
|
||||
- name: seLinuxMount
|
||||
type:
|
||||
scalar: boolean
|
||||
- name: serviceAccountTokenInSecrets
|
||||
type:
|
||||
scalar: boolean
|
||||
- name: storageCapacity
|
||||
type:
|
||||
scalar: boolean
|
||||
|
||||
@@ -158,6 +158,26 @@ type CSIDriverSpecApplyConfiguration struct {
|
||||
//
|
||||
// This field is mutable.
|
||||
NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"`
|
||||
// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
|
||||
// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
|
||||
// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
|
||||
// field for sensitive information like tokens, which is the appropriate mechanism for
|
||||
// handling credentials. This addresses security concerns where sensitive tokens were being
|
||||
// logged as part of volume context.
|
||||
//
|
||||
// When "true", kubelet will pass the tokens only in the Secrets field with the key
|
||||
// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
|
||||
// tokens from the Secrets field instead of VolumeContext.
|
||||
//
|
||||
// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
|
||||
// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
|
||||
// compatibility with existing CSI drivers.
|
||||
//
|
||||
// This field can only be set when TokenRequests is configured. The API server will reject
|
||||
// CSIDriver specs that set this field without TokenRequests.
|
||||
//
|
||||
// Default behavior if unset is to pass tokens in the VolumeContext field.
|
||||
ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"`
|
||||
}
|
||||
|
||||
// CSIDriverSpecApplyConfiguration constructs a declarative configuration of the CSIDriverSpec type for use with
|
||||
@@ -244,3 +264,11 @@ func (b *CSIDriverSpecApplyConfiguration) WithNodeAllocatableUpdatePeriodSeconds
|
||||
b.NodeAllocatableUpdatePeriodSeconds = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithServiceAccountTokenInSecrets sets the ServiceAccountTokenInSecrets field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ServiceAccountTokenInSecrets field is set to the value of the last call.
|
||||
func (b *CSIDriverSpecApplyConfiguration) WithServiceAccountTokenInSecrets(value bool) *CSIDriverSpecApplyConfiguration {
|
||||
b.ServiceAccountTokenInSecrets = &value
|
||||
return b
|
||||
}
|
||||
|
||||
@@ -158,6 +158,26 @@ type CSIDriverSpecApplyConfiguration struct {
|
||||
//
|
||||
// This field is mutable.
|
||||
NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"`
|
||||
// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
|
||||
// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
|
||||
// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
|
||||
// field for sensitive information like tokens, which is the appropriate mechanism for
|
||||
// handling credentials. This addresses security concerns where sensitive tokens were being
|
||||
// logged as part of volume context.
|
||||
//
|
||||
// When "true", kubelet will pass the tokens only in the Secrets field with the key
|
||||
// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
|
||||
// tokens from the Secrets field instead of VolumeContext.
|
||||
//
|
||||
// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
|
||||
// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
|
||||
// compatibility with existing CSI drivers.
|
||||
//
|
||||
// This field can only be set when TokenRequests is configured. The API server will reject
|
||||
// CSIDriver specs that set this field without TokenRequests.
|
||||
//
|
||||
// Default behavior if unset is to pass tokens in the VolumeContext field.
|
||||
ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"`
|
||||
}
|
||||
|
||||
// CSIDriverSpecApplyConfiguration constructs a declarative configuration of the CSIDriverSpec type for use with
|
||||
@@ -244,3 +264,11 @@ func (b *CSIDriverSpecApplyConfiguration) WithNodeAllocatableUpdatePeriodSeconds
|
||||
b.NodeAllocatableUpdatePeriodSeconds = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithServiceAccountTokenInSecrets sets the ServiceAccountTokenInSecrets field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ServiceAccountTokenInSecrets field is set to the value of the last call.
|
||||
func (b *CSIDriverSpecApplyConfiguration) WithServiceAccountTokenInSecrets(value bool) *CSIDriverSpecApplyConfiguration {
|
||||
b.ServiceAccountTokenInSecrets = &value
|
||||
return b
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user