Merge pull request #60118 from sbezverk/csi_core_credentials

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Adding credentials support for k8s core CSI PR implements changes proposed in: https://github.com/kubernetes/community/pull/1816 ```release-note CSI now allows credentials to be specified on CreateVolume/DeleteVolume, ControllerPublishVolume/ControllerUnpublishVolume, and NodePublishVolume/NodeUnpublishVolume operations ```
2025-09-26 04:36:00 +00:00 · 2018-02-24 12:36:11 -08:00
parent 829ada8e30 3aa462eab4
commit 8e8601a1cb
23 changed files with 2638 additions and 1763 deletions
--- a/plugin/pkg/auth/authorizer/node/graph.go
+++ b/plugin/pkg/auth/authorizer/node/graph.go
@@ -253,9 +253,11 @@ func (g *Graph) AddPV(pv *api.PersistentVolume) {

 		// since we don't know the other end of the pvc -> pod -> node chain (or it may not even exist yet), we can't decorate these edges with kubernetes node info
 		g.graph.SetEdge(simple.Edge{F: pvVertex, T: g.getOrCreateVertex_locked(pvcVertexType, pv.Spec.ClaimRef.Namespace, pv.Spec.ClaimRef.Name)})
-		pvutil.VisitPVSecretNames(pv, func(namespace, secret string) bool {
+		pvutil.VisitPVSecretNames(pv, func(namespace, secret string, kubeletVisible bool) bool {
 			// This grants access to the named secret in the same namespace as the bound PVC
-			g.graph.SetEdge(simple.Edge{F: g.getOrCreateVertex_locked(secretVertexType, namespace, secret), T: pvVertex})
+			if kubeletVisible {
+				g.graph.SetEdge(simple.Edge{F: g.getOrCreateVertex_locked(secretVertexType, namespace, secret), T: pvVertex})
+			}
 			return true
 		})
 	}