add api for service account token volume projection
This commit is contained in:
		| @@ -1391,6 +1391,28 @@ type ConfigMapProjection struct { | |||||||
| 	Optional *bool | 	Optional *bool | ||||||
| } | } | ||||||
|  |  | ||||||
|  | // ServiceAccountTokenProjection represents a projected service account token | ||||||
|  | // volume. This projection can be used to insert a service account token into | ||||||
|  | // the pods runtime filesystem for use against APIs (Kubernetes API Server or | ||||||
|  | // otherwise). | ||||||
|  | type ServiceAccountTokenProjection struct { | ||||||
|  | 	// Audience is the intended audience of the token. A recipient of a token | ||||||
|  | 	// must identify itself with an identifier specified in the audience of the | ||||||
|  | 	// token, and otherwise should reject the token. The audience defaults to the | ||||||
|  | 	// identifier of the apiserver. | ||||||
|  | 	Audience string | ||||||
|  | 	// ExpirationSeconds is the requested duration of validity of the service | ||||||
|  | 	// account token. As the token approaches expiration, the kubelet volume | ||||||
|  | 	// plugin will proactively rotate the service account token. The kubelet will | ||||||
|  | 	// start trying to rotate the token if the token is older than 80 percent of | ||||||
|  | 	// its time to live or if the token is older than 24 hours.Defaults to 1 hour | ||||||
|  | 	// and must be at least 10 minutes. | ||||||
|  | 	ExpirationSeconds int64 | ||||||
|  | 	// Path is the path relative to the mount point of the file to project the | ||||||
|  | 	// token into. | ||||||
|  | 	Path string | ||||||
|  | } | ||||||
|  |  | ||||||
| // Represents a projected volume source | // Represents a projected volume source | ||||||
| type ProjectedVolumeSource struct { | type ProjectedVolumeSource struct { | ||||||
| 	// list of volume projections | 	// list of volume projections | ||||||
| @@ -1414,6 +1436,8 @@ type VolumeProjection struct { | |||||||
| 	DownwardAPI *DownwardAPIProjection | 	DownwardAPI *DownwardAPIProjection | ||||||
| 	// information about the configMap data to project | 	// information about the configMap data to project | ||||||
| 	ConfigMap *ConfigMapProjection | 	ConfigMap *ConfigMapProjection | ||||||
|  | 	// information about the serviceAccountToken data to project | ||||||
|  | 	ServiceAccountToken *ServiceAccountTokenProjection | ||||||
| } | } | ||||||
|  |  | ||||||
| // Maps a string key to a path within a volume. | // Maps a string key to a path within a volume. | ||||||
|   | |||||||
| @@ -17,6 +17,8 @@ limitations under the License. | |||||||
| package v1 | package v1 | ||||||
|  |  | ||||||
| import ( | import ( | ||||||
|  | 	"time" | ||||||
|  |  | ||||||
| 	"k8s.io/api/core/v1" | 	"k8s.io/api/core/v1" | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" | 	"k8s.io/apimachinery/pkg/runtime" | ||||||
| 	"k8s.io/apimachinery/pkg/util/intstr" | 	"k8s.io/apimachinery/pkg/util/intstr" | ||||||
| @@ -223,6 +225,12 @@ func SetDefaults_ProjectedVolumeSource(obj *v1.ProjectedVolumeSource) { | |||||||
| 		obj.DefaultMode = &perm | 		obj.DefaultMode = &perm | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  | func SetDefaults_ServiceAccountTokenProjection(obj *v1.ServiceAccountTokenProjection) { | ||||||
|  | 	hour := int64(time.Hour.Seconds()) | ||||||
|  | 	if obj.ExpirationSeconds == nil { | ||||||
|  | 		obj.ExpirationSeconds = &hour | ||||||
|  | 	} | ||||||
|  | } | ||||||
| func SetDefaults_PersistentVolume(obj *v1.PersistentVolume) { | func SetDefaults_PersistentVolume(obj *v1.PersistentVolume) { | ||||||
| 	if obj.Status.Phase == "" { | 	if obj.Status.Phase == "" { | ||||||
| 		obj.Status.Phase = v1.VolumePending | 		obj.Status.Phase = v1.VolumePending | ||||||
|   | |||||||
| @@ -1039,6 +1039,21 @@ func validateProjectionSources(projection *core.ProjectedVolumeSource, projectio | |||||||
| 				} | 				} | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
|  | 		if projPath := fldPath.Child("serviceAccountToken"); source.ServiceAccountToken != nil { | ||||||
|  | 			numSources++ | ||||||
|  | 			if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) { | ||||||
|  | 				allErrs = append(allErrs, field.Forbidden(projPath, "TokenRequestProjection feature is not enabled")) | ||||||
|  | 			} | ||||||
|  | 			if source.ServiceAccountToken.ExpirationSeconds < 10*60 { | ||||||
|  | 				allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration less than 10 minutes")) | ||||||
|  | 			} | ||||||
|  | 			if source.ServiceAccountToken.ExpirationSeconds > 1<<32 { | ||||||
|  | 				allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds")) | ||||||
|  | 			} | ||||||
|  | 			if source.ServiceAccountToken.Path == "" { | ||||||
|  | 				allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
| 		if numSources > 1 { | 		if numSources > 1 { | ||||||
| 			allErrs = append(allErrs, field.Forbidden(srcPath, "may not specify more than 1 volume type")) | 			allErrs = append(allErrs, field.Forbidden(srcPath, "may not specify more than 1 volume type")) | ||||||
| 		} | 		} | ||||||
|   | |||||||
| @@ -248,6 +248,12 @@ const ( | |||||||
| 	// Implement TokenRequest endpoint on service account resources. | 	// Implement TokenRequest endpoint on service account resources. | ||||||
| 	TokenRequest utilfeature.Feature = "TokenRequest" | 	TokenRequest utilfeature.Feature = "TokenRequest" | ||||||
|  |  | ||||||
|  | 	// owner: @mikedanese | ||||||
|  | 	// alpha: v1.11 | ||||||
|  | 	// | ||||||
|  | 	// Enable ServiceAccountTokenVolumeProjection support in ProjectedVolumes. | ||||||
|  | 	TokenRequestProjection utilfeature.Feature = "TokenRequestProjection" | ||||||
|  |  | ||||||
| 	// owner: @Random-Liu | 	// owner: @Random-Liu | ||||||
| 	// beta: v1.11 | 	// beta: v1.11 | ||||||
| 	// | 	// | ||||||
| @@ -329,6 +335,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS | |||||||
| 	HyperVContainer:                             {Default: false, PreRelease: utilfeature.Alpha}, | 	HyperVContainer:                             {Default: false, PreRelease: utilfeature.Alpha}, | ||||||
| 	ScheduleDaemonSetPods:                       {Default: false, PreRelease: utilfeature.Alpha}, | 	ScheduleDaemonSetPods:                       {Default: false, PreRelease: utilfeature.Alpha}, | ||||||
| 	TokenRequest:                                {Default: false, PreRelease: utilfeature.Alpha}, | 	TokenRequest:                                {Default: false, PreRelease: utilfeature.Alpha}, | ||||||
|  | 	TokenRequestProjection:                      {Default: false, PreRelease: utilfeature.Alpha}, | ||||||
| 	CRIContainerLogRotation:                     {Default: true, PreRelease: utilfeature.Beta}, | 	CRIContainerLogRotation:                     {Default: true, PreRelease: utilfeature.Beta}, | ||||||
| 	GCERegionalPersistentDisk:                   {Default: true, PreRelease: utilfeature.Beta}, | 	GCERegionalPersistentDisk:                   {Default: true, PreRelease: utilfeature.Beta}, | ||||||
| 	RunAsGroup:                                  {Default: false, PreRelease: utilfeature.Alpha}, | 	RunAsGroup:                                  {Default: false, PreRelease: utilfeature.Alpha}, | ||||||
|   | |||||||
| @@ -1466,6 +1466,30 @@ type ConfigMapProjection struct { | |||||||
| 	Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"` | 	Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"` | ||||||
| } | } | ||||||
|  |  | ||||||
|  | // ServiceAccountTokenProjection represents a projected service account token | ||||||
|  | // volume. This projection can be used to insert a service account token into | ||||||
|  | // the pods runtime filesystem for use against APIs (Kubernetes API Server or | ||||||
|  | // otherwise). | ||||||
|  | type ServiceAccountTokenProjection struct { | ||||||
|  | 	// Audience is the intended audience of the token. A recipient of a token | ||||||
|  | 	// must identify itself with an identifier specified in the audience of the | ||||||
|  | 	// token, and otherwise should reject the token. The audience defaults to the | ||||||
|  | 	// identifier of the apiserver. | ||||||
|  | 	//+optional | ||||||
|  | 	Audience string `json:"audience,omitempty" protobuf:"bytes,1,rep,name=audience"` | ||||||
|  | 	// ExpirationSeconds is the requested duration of validity of the service | ||||||
|  | 	// account token. As the token approaches expiration, the kubelet volume | ||||||
|  | 	// plugin will proactively rotate the service account token. The kubelet will | ||||||
|  | 	// start trying to rotate the token if the token is older than 80 percent of | ||||||
|  | 	// its time to live or if the token is older than 24 hours.Defaults to 1 hour | ||||||
|  | 	// and must be at least 10 minutes. | ||||||
|  | 	//+optional | ||||||
|  | 	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty" protobuf:"varint,2,opt,name=expirationSeconds"` | ||||||
|  | 	// Path is the path relative to the mount point of the file to project the | ||||||
|  | 	// token into. | ||||||
|  | 	Path string `json:"path" protobuf:"bytes,3,opt,name=path"` | ||||||
|  | } | ||||||
|  |  | ||||||
| // Represents a projected volume source | // Represents a projected volume source | ||||||
| type ProjectedVolumeSource struct { | type ProjectedVolumeSource struct { | ||||||
| 	// list of volume projections | 	// list of volume projections | ||||||
| @@ -1484,11 +1508,17 @@ type VolumeProjection struct { | |||||||
| 	// all types below are the supported types for projection into the same volume | 	// all types below are the supported types for projection into the same volume | ||||||
|  |  | ||||||
| 	// information about the secret data to project | 	// information about the secret data to project | ||||||
|  | 	// +optional | ||||||
| 	Secret *SecretProjection `json:"secret,omitempty" protobuf:"bytes,1,opt,name=secret"` | 	Secret *SecretProjection `json:"secret,omitempty" protobuf:"bytes,1,opt,name=secret"` | ||||||
| 	// information about the downwardAPI data to project | 	// information about the downwardAPI data to project | ||||||
|  | 	// +optional | ||||||
| 	DownwardAPI *DownwardAPIProjection `json:"downwardAPI,omitempty" protobuf:"bytes,2,opt,name=downwardAPI"` | 	DownwardAPI *DownwardAPIProjection `json:"downwardAPI,omitempty" protobuf:"bytes,2,opt,name=downwardAPI"` | ||||||
| 	// information about the configMap data to project | 	// information about the configMap data to project | ||||||
|  | 	// +optional | ||||||
| 	ConfigMap *ConfigMapProjection `json:"configMap,omitempty" protobuf:"bytes,3,opt,name=configMap"` | 	ConfigMap *ConfigMapProjection `json:"configMap,omitempty" protobuf:"bytes,3,opt,name=configMap"` | ||||||
|  | 	// information about the serviceAccountToken data to project | ||||||
|  | 	// +optional | ||||||
|  | 	ServiceAccountToken *ServiceAccountTokenProjection `json:"serviceAccountToken,omitempty" protobuf:"bytes,4,opt,name=serviceAccountToken"` | ||||||
| } | } | ||||||
|  |  | ||||||
| const ( | const ( | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Mike Danese
					Mike Danese