add api for service account token volume projection
This commit is contained in:
Mike Danese
@@ -1391,6 +1391,28 @@ type ConfigMapProjection struct {
|
||||
Optional *bool
|
||||
}
|
||||
|
||||
// ServiceAccountTokenProjection represents a projected service account token
|
||||
// volume. This projection can be used to insert a service account token into
|
||||
// the pods runtime filesystem for use against APIs (Kubernetes API Server or
|
||||
// otherwise).
|
||||
type ServiceAccountTokenProjection struct {
|
||||
// Audience is the intended audience of the token. A recipient of a token
|
||||
// must identify itself with an identifier specified in the audience of the
|
||||
// token, and otherwise should reject the token. The audience defaults to the
|
||||
// identifier of the apiserver.
|
||||
Audience string
|
||||
// ExpirationSeconds is the requested duration of validity of the service
|
||||
// account token. As the token approaches expiration, the kubelet volume
|
||||
// plugin will proactively rotate the service account token. The kubelet will
|
||||
// start trying to rotate the token if the token is older than 80 percent of
|
||||
// its time to live or if the token is older than 24 hours.Defaults to 1 hour
|
||||
// and must be at least 10 minutes.
|
||||
ExpirationSeconds int64
|
||||
// Path is the path relative to the mount point of the file to project the
|
||||
// token into.
|
||||
Path string
|
||||
}
|
||||
|
||||
// Represents a projected volume source
|
||||
type ProjectedVolumeSource struct {
|
||||
// list of volume projections
|
||||
@@ -1414,6 +1436,8 @@ type VolumeProjection struct {
|
||||
DownwardAPI *DownwardAPIProjection
|
||||
// information about the configMap data to project
|
||||
ConfigMap *ConfigMapProjection
|
||||
// information about the serviceAccountToken data to project
|
||||
ServiceAccountToken *ServiceAccountTokenProjection
|
||||
}
|
||||
|
||||
// Maps a string key to a path within a volume.
|
||||
|
||||
@@ -17,6 +17,8 @@ limitations under the License.
|
||||
package v1
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
@@ -223,6 +225,12 @@ func SetDefaults_ProjectedVolumeSource(obj *v1.ProjectedVolumeSource) {
|
||||
obj.DefaultMode = &perm
|
||||
}
|
||||
}
|
||||
func SetDefaults_ServiceAccountTokenProjection(obj *v1.ServiceAccountTokenProjection) {
|
||||
hour := int64(time.Hour.Seconds())
|
||||
if obj.ExpirationSeconds == nil {
|
||||
obj.ExpirationSeconds = &hour
|
||||
}
|
||||
}
|
||||
func SetDefaults_PersistentVolume(obj *v1.PersistentVolume) {
|
||||
if obj.Status.Phase == "" {
|
||||
obj.Status.Phase = v1.VolumePending
|
||||
|
||||
@@ -1039,6 +1039,21 @@ func validateProjectionSources(projection *core.ProjectedVolumeSource, projectio
|
||||
}
|
||||
}
|
||||
}
|
||||
if projPath := fldPath.Child("serviceAccountToken"); source.ServiceAccountToken != nil {
|
||||
numSources++
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) {
|
||||
allErrs = append(allErrs, field.Forbidden(projPath, "TokenRequestProjection feature is not enabled"))
|
||||
}
|
||||
if source.ServiceAccountToken.ExpirationSeconds < 10*60 {
|
||||
allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
|
||||
}
|
||||
if source.ServiceAccountToken.ExpirationSeconds > 1<<32 {
|
||||
allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds"))
|
||||
}
|
||||
if source.ServiceAccountToken.Path == "" {
|
||||
allErrs = append(allErrs, field.Required(fldPath.Child("path"), ""))
|
||||
}
|
||||
}
|
||||
if numSources > 1 {
|
||||
allErrs = append(allErrs, field.Forbidden(srcPath, "may not specify more than 1 volume type"))
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user