From 4ec7d2305d8c022fe7870d0e8f53c27045e84b96 Mon Sep 17 00:00:00 2001 From: Vladimir Vivien Date: Tue, 14 Aug 2018 17:00:25 -0400 Subject: [PATCH] CSI Inline Volume - API changes --- cmd/kube-controller-manager/app/plugins.go | 4 ++ pkg/api/pod/util.go | 30 +++++++++++++++ pkg/api/pod/util_test.go | 7 +++- pkg/api/podsecuritypolicy/util.go | 3 ++ pkg/api/v1/pod/util.go | 4 ++ pkg/api/v1/pod/util_test.go | 7 +++- pkg/apis/core/types.go | 37 ++++++++++++++++++- pkg/apis/core/validation/validation.go | 30 ++++++++++----- pkg/apis/policy/types.go | 10 +++++ pkg/apis/policy/validation/validation.go | 12 ++++++ pkg/features/kube_features.go | 7 ++++ pkg/security/podsecuritypolicy/util/util.go | 2 + staging/src/k8s.io/api/core/v1/types.go | 36 +++++++++++++++++- .../k8s.io/api/extensions/v1beta1/types.go | 11 ++++++ .../src/k8s.io/api/policy/v1beta1/types.go | 10 +++++ 15 files changed, 197 insertions(+), 13 deletions(-) diff --git a/cmd/kube-controller-manager/app/plugins.go b/cmd/kube-controller-manager/app/plugins.go index bf82df07e5..a8d3ca0958 100644 --- a/cmd/kube-controller-manager/app/plugins.go +++ b/cmd/kube-controller-manager/app/plugins.go @@ -165,6 +165,10 @@ func ProbeControllerVolumePlugins(cloud cloudprovider.Interface, config kubectrl allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...) allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...) + if utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) { + allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...) + } + return allPlugins } diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go index cb300db782..3bffd1bf29 100644 --- a/pkg/api/pod/util.go +++ b/pkg/api/pod/util.go @@ -97,6 +97,10 @@ func VisitPodSecretNames(pod *api.Pod, visitor Visitor) bool { if source.StorageOS.SecretRef != nil && !visitor(source.StorageOS.SecretRef.Name) { return false } + case source.CSI != nil: + if source.CSI.NodePublishSecretRef != nil && !visitor(source.CSI.NodePublishSecretRef.Name) { + return false + } } } return true @@ -370,6 +374,9 @@ func dropDisabledFields( } dropDisabledProcMountField(podSpec, oldPodSpec) + + dropDisabledCSIVolumeSourceAlphaFields(podSpec, oldPodSpec) + } // dropDisabledRunAsGroupField removes disabled fields from PodSpec related @@ -423,6 +430,16 @@ func dropDisabledVolumeDevicesFields(podSpec, oldPodSpec *api.PodSpec) { } } +// dropDisabledCSIVolumeSourceAlphaFields removes disabled alpha fields from []CSIVolumeSource. +// This should be called from PrepareForCreate/PrepareForUpdate for all pod specs resources containing a CSIVolumeSource +func dropDisabledCSIVolumeSourceAlphaFields(podSpec, oldPodSpec *api.PodSpec) { + if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) && !csiInUse(oldPodSpec) { + for i := range podSpec.Volumes { + podSpec.Volumes[i].CSI = nil + } + } +} + // subpathInUse returns true if the pod spec is non-nil and has a volume mount that makes use of the subPath feature func subpathInUse(podSpec *api.PodSpec) bool { if podSpec == nil { @@ -616,3 +633,16 @@ func subpathExprInUse(podSpec *api.PodSpec) bool { } return false } + +// csiInUse returns true if any pod's spec include inline CSI volumes. +func csiInUse(podSpec *api.PodSpec) bool { + if podSpec == nil { + return false + } + for i := range podSpec.Volumes { + if podSpec.Volumes[i].CSI != nil { + return true + } + } + return false +} diff --git a/pkg/api/pod/util_test.go b/pkg/api/pod/util_test.go index 212d77482e..aff0726cd7 100644 --- a/pkg/api/pod/util_test.go +++ b/pkg/api/pod/util_test.go @@ -104,7 +104,11 @@ func TestPodSecrets(t *testing.T) { VolumeSource: api.VolumeSource{ StorageOS: &api.StorageOSVolumeSource{ SecretRef: &api.LocalObjectReference{ - Name: "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef"}}}}}, + Name: "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef"}}}}, { + VolumeSource: api.VolumeSource{ + CSI: &api.CSIVolumeSource{ + NodePublishSecretRef: &api.LocalObjectReference{ + Name: "Spec.Volumes[*].VolumeSource.CSI.NodePublishSecretRef"}}}}}, }, } extractedNames := sets.NewString() @@ -136,6 +140,7 @@ func TestPodSecrets(t *testing.T) { "Spec.Volumes[*].VolumeSource.ScaleIO.SecretRef", "Spec.Volumes[*].VolumeSource.ISCSI.SecretRef", "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef", + "Spec.Volumes[*].VolumeSource.CSI.NodePublishSecretRef", ) secretPaths := collectResourcePaths(t, "secret", nil, "", reflect.TypeOf(&api.Pod{})) secretPaths = secretPaths.Difference(excludedSecretPaths) diff --git a/pkg/api/podsecuritypolicy/util.go b/pkg/api/podsecuritypolicy/util.go index 10ce15093c..7f28a729c6 100644 --- a/pkg/api/podsecuritypolicy/util.go +++ b/pkg/api/podsecuritypolicy/util.go @@ -35,6 +35,9 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) { pspSpec.AllowedUnsafeSysctls = nil pspSpec.ForbiddenSysctls = nil } + if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) { + pspSpec.AllowedCSIDrivers = nil + } } func allowedProcMountTypesInUse(oldPSPSpec *policy.PodSecurityPolicySpec) bool { diff --git a/pkg/api/v1/pod/util.go b/pkg/api/v1/pod/util.go index 558e8a48c1..590bca8eb0 100644 --- a/pkg/api/v1/pod/util.go +++ b/pkg/api/v1/pod/util.go @@ -120,6 +120,10 @@ func VisitPodSecretNames(pod *v1.Pod, visitor Visitor) bool { if source.StorageOS.SecretRef != nil && !visitor(source.StorageOS.SecretRef.Name) { return false } + case source.CSI != nil: + if source.CSI.NodePublishSecretRef != nil && !visitor(source.CSI.NodePublishSecretRef.Name) { + return false + } } } return true diff --git a/pkg/api/v1/pod/util_test.go b/pkg/api/v1/pod/util_test.go index af05d73639..3d34d5d6c0 100644 --- a/pkg/api/v1/pod/util_test.go +++ b/pkg/api/v1/pod/util_test.go @@ -268,7 +268,11 @@ func TestPodSecrets(t *testing.T) { VolumeSource: v1.VolumeSource{ StorageOS: &v1.StorageOSVolumeSource{ SecretRef: &v1.LocalObjectReference{ - Name: "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef"}}}}}, + Name: "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef"}}}}, { + VolumeSource: v1.VolumeSource{ + CSI: &v1.CSIVolumeSource{ + NodePublishSecretRef: &v1.LocalObjectReference{ + Name: "Spec.Volumes[*].VolumeSource.CSI.NodePublishSecretRef"}}}}}, }, } extractedNames := sets.NewString() @@ -300,6 +304,7 @@ func TestPodSecrets(t *testing.T) { "Spec.Volumes[*].VolumeSource.ScaleIO.SecretRef", "Spec.Volumes[*].VolumeSource.ISCSI.SecretRef", "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef", + "Spec.Volumes[*].VolumeSource.CSI.NodePublishSecretRef", ) secretPaths := collectResourcePaths(t, "secret", nil, "", reflect.TypeOf(&v1.Pod{})) secretPaths = secretPaths.Difference(excludedSecretPaths) diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index 685c10b5ce..157d38ced5 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -154,6 +154,9 @@ type VolumeSource struct { // StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod // +optional StorageOS *StorageOSVolumeSource + // CSI (Container Storage Interface) represents storage that is handled by an external CSI driver (Alpha feature). + // +optional + CSI *CSIVolumeSource } // Similar to VolumeSource but meant for the administrator who creates PVs. @@ -229,7 +232,7 @@ type PersistentVolumeSource struct { // More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md // +optional StorageOS *StorageOSPersistentVolumeSource - // CSI (Container Storage Interface) represents storage that handled by an external CSI driver. + // CSI (Container Storage Interface) represents storage that is handled by an external CSI driver. // +optional CSI *CSIPersistentVolumeSource } @@ -1603,6 +1606,38 @@ type CSIPersistentVolumeSource struct { NodePublishSecretRef *SecretReference } +// Represents a source location of a volume to mount, managed by an external CSI driver +type CSIVolumeSource struct { + // Driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in the cluster. + // Required. + Driver string + + // Specifies a read-only configuration for the volume. + // Defaults to false (read/write). + // +optional + ReadOnly *bool + + // Filesystem type to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated CSI driver + // which will determine the default filesystem to apply. + // +optional + FSType *string + + // VolumeAttributes stores driver-specific properties that are passed to the CSI + // driver. Consult your driver's documentation for supported values. + // +optional + VolumeAttributes map[string]string + + // NodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secret references are passed. + // +optional + NodePublishSecretRef *LocalObjectReference +} + // ContainerPort represents a network port in a single container type ContainerPort struct { // Optional: If specified, this must be an IANA_SVC_NAME Each named port diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index 76fc962097..84b8a2ed9e 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -626,6 +626,14 @@ func validateVolumeSource(source *core.VolumeSource, fldPath *field.Path, volNam allErrs = append(allErrs, validateScaleIOVolumeSource(source.ScaleIO, fldPath.Child("scaleIO"))...) } } + if source.CSI != nil { + if numVolumes > 0 { + allErrs = append(allErrs, field.Forbidden(fldPath.Child("csi"), "may not specify more than 1 volume type")) + } else { + numVolumes++ + allErrs = append(allErrs, validateCSIVolumeSource(source.CSI, fldPath.Child("csi"))...) + } + } if numVolumes == 0 { allErrs = append(allErrs, field.Required(fldPath, "must specify a volume type")) @@ -1484,16 +1492,20 @@ func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, fldP } } - if csi.NodeStageSecretRef != nil { - if len(csi.NodeStageSecretRef.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("nodeStageSecretRef", "name"), "")) + return allErrs +} + +func validateCSIVolumeSource(csi *core.CSIVolumeSource, fldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + allErrs = append(allErrs, ValidateCSIDriverName(csi.Driver, fldPath.Child("driver"))...) + + if csi.NodePublishSecretRef != nil { + if len(csi.NodePublishSecretRef.Name) == 0 { + allErrs = append(allErrs, field.Required(fldPath.Child("nodePublishSecretRef ", "name"), "")) } else { - allErrs = append(allErrs, ValidateDNS1123Label(csi.NodeStageSecretRef.Name, fldPath.Child("name"))...) - } - if len(csi.NodeStageSecretRef.Namespace) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("nodeStageSecretRef", "namespace"), "")) - } else { - allErrs = append(allErrs, ValidateDNS1123Label(csi.NodeStageSecretRef.Namespace, fldPath.Child("namespace"))...) + for _, msg := range ValidateSecretName(csi.NodePublishSecretRef.Name, false) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), csi.NodePublishSecretRef.Name, msg)) + } } } diff --git a/pkg/apis/policy/types.go b/pkg/apis/policy/types.go index a94711bdb3..f51079a34a 100644 --- a/pkg/apis/policy/types.go +++ b/pkg/apis/policy/types.go @@ -213,6 +213,10 @@ type PodSecurityPolicySpec struct { // is allowed in the "Volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume + // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // An empty value means no CSI drivers can run inline within a pod spec. + // +optional + AllowedCSIDrivers []AllowedCSIDriver // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. @@ -308,6 +312,12 @@ type AllowedFlexVolume struct { Driver string } +// AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used. +type AllowedCSIDriver struct { + // Name is the registered name of the CSI driver + Name string +} + // SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. type SELinuxStrategyOptions struct { // Rule is the strategy that will dictate the allowable labels that may be set. diff --git a/pkg/apis/policy/validation/validation.go b/pkg/apis/policy/validation/validation.go index cb9e92864f..9b88c21a57 100644 --- a/pkg/apis/policy/validation/validation.go +++ b/pkg/apis/policy/validation/validation.go @@ -121,6 +121,7 @@ func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath * allErrs = append(allErrs, validatePSPAllowedProcMountTypes(fldPath.Child("allowedProcMountTypes"), spec.AllowedProcMountTypes)...) allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...) allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...) + allErrs = append(allErrs, validatePSPAllowedCSIDrivers(fldPath.Child("allowedCSIDrivers"), spec.AllowedCSIDrivers)...) allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("allowedUnsafeSysctls"), spec.AllowedUnsafeSysctls)...) allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("forbiddenSysctls"), spec.ForbiddenSysctls)...) allErrs = append(allErrs, validatePodSecurityPolicySysctlListsDoNotOverlap(fldPath.Child("allowedUnsafeSysctls"), fldPath.Child("forbiddenSysctls"), spec.AllowedUnsafeSysctls, spec.ForbiddenSysctls)...) @@ -194,6 +195,17 @@ func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []policy.All return allErrs } +func validatePSPAllowedCSIDrivers(fldPath *field.Path, csiDrivers []policy.AllowedCSIDriver) field.ErrorList { + allErrs := field.ErrorList{} + if len(csiDrivers) > 0 { + for idx, csiDriver := range csiDrivers { + fieldPath := fldPath.Child("allowedCSIDriver").Index(idx).Child("name") + allErrs = append(allErrs, apivalidation.ValidateCSIDriverName(csiDriver.Name, fieldPath)...) + } + } + return allErrs +} + // validatePSPSELinux validates the SELinux fields of PodSecurityPolicy. func validatePSPSELinux(fldPath *field.Path, seLinux *policy.SELinuxStrategyOptions) field.ErrorList { allErrs := field.ErrorList{} diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 4188842916..2d2f486bed 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -348,6 +348,12 @@ const ( // Enables CSI to use raw block storage volumes CSIBlockVolume utilfeature.Feature = "CSIBlockVolume" + // owner: @vladimirvivien + // alpha: v1.14 + // + // Enables CSI Inline volumes support for pods + CSIInlineVolume utilfeature.Feature = "CSIInlineVolume" + // owner: @tallclair // alpha: v1.12 // @@ -491,6 +497,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS KubeletPluginsWatcher: {Default: true, PreRelease: utilfeature.GA, LockToDefault: true}, // remove in 1.16 ResourceQuotaScopeSelectors: {Default: true, PreRelease: utilfeature.Beta}, CSIBlockVolume: {Default: true, PreRelease: utilfeature.Beta}, + CSIInlineVolume: {Default: false, PreRelease: utilfeature.Alpha}, RuntimeClass: {Default: false, PreRelease: utilfeature.Alpha}, NodeLease: {Default: true, PreRelease: utilfeature.Beta}, SCTPSupport: {Default: false, PreRelease: utilfeature.Alpha}, diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go index c0a25da175..3620adca7a 100644 --- a/pkg/security/podsecuritypolicy/util/util.go +++ b/pkg/security/podsecuritypolicy/util/util.go @@ -129,6 +129,8 @@ func GetVolumeFSType(v api.Volume) (policy.FSType, error) { return policy.PortworxVolume, nil case v.ScaleIO != nil: return policy.ScaleIO, nil + case v.CSI != nil: + return policy.CSI, nil } return "", fmt.Errorf("unknown volume type for volume: %#v", v) diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index 8d67bc93e9..3af134400c 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -151,6 +151,9 @@ type VolumeSource struct { // StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. // +optional StorageOS *StorageOSVolumeSource `json:"storageos,omitempty" protobuf:"bytes,27,opt,name=storageos"` + // CSI (Container Storage Interface) represents storage that is handled by an external CSI driver (Alpha feature). + // +optional + CSI *CSIVolumeSource `json:"csi,omitempty" protobuf:"bytes,28,opt,name=csi"` } // PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. @@ -248,7 +251,7 @@ type PersistentVolumeSource struct { // More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md // +optional StorageOS *StorageOSPersistentVolumeSource `json:"storageos,omitempty" protobuf:"bytes,21,opt,name=storageos"` - // CSI represents storage that handled by an external CSI driver (Beta feature). + // CSI represents storage that is handled by an external CSI driver (Beta feature). // +optional CSI *CSIPersistentVolumeSource `json:"csi,omitempty" protobuf:"bytes,22,opt,name=csi"` } @@ -1691,6 +1694,37 @@ type CSIPersistentVolumeSource struct { NodePublishSecretRef *SecretReference `json:"nodePublishSecretRef,omitempty" protobuf:"bytes,8,opt,name=nodePublishSecretRef"` } +// Represents a source location of a volume to mount, managed by an external CSI driver +type CSIVolumeSource struct { + // Driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in the cluster. + Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` + + // Specifies a read-only configuration for the volume. + // Defaults to false (read/write). + // +optional + ReadOnly *bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"` + + // Filesystem type to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated CSI driver + // which will determine the default filesystem to apply. + // +optional + FSType *string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"` + + // VolumeAttributes stores driver-specific properties that are passed to the CSI + // driver. Consult your driver's documentation for supported values. + // +optional + VolumeAttributes map[string]string `json:"volumeAttributes,omitempty" protobuf:"bytes,4,rep,name=volumeAttributes"` + + // NodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secret references are passed. + // +optional + NodePublishSecretRef *LocalObjectReference `json:"nodePublishSecretRef,omitempty" protobuf:"bytes,5,opt,name=nodePublishSecretRef"` +} + // ContainerPort represents a network port in a single container. type ContainerPort struct { // If specified, this must be an IANA_SVC_NAME and unique within the pod. Each diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go index 7900274d3f..c34ea599d6 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go @@ -928,6 +928,10 @@ type PodSecurityPolicySpec struct { // is allowed in the "volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` + // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // An empty value means no CSI drivers can run inline within a pod spec. + // +optional + AllowedCSIDrivers []AllowedCSIDriver `json:"allowedCSIDrivers,omitempty" protobuf:"bytes,23,rep,name=allowedCSIDrivers"` // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. @@ -998,6 +1002,7 @@ var ( ConfigMap FSType = "configMap" Quobyte FSType = "quobyte" AzureDisk FSType = "azureDisk" + CSI FSType = "csi" All FSType = "*" ) @@ -1008,6 +1013,12 @@ type AllowedFlexVolume struct { Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` } +// AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used. +type AllowedCSIDriver struct { + // Name is the registered name of the CSI driver + Name string `json:"name" protobuf:"bytes,1,opt,name=name"` +} + // HostPortRange defines a range of host ports that will be enabled by a policy // for pods to use. It requires both the start and end to be defined. // Deprecated: use HostPortRange from policy API Group instead. diff --git a/staging/src/k8s.io/api/policy/v1beta1/types.go b/staging/src/k8s.io/api/policy/v1beta1/types.go index 91ea118587..74ddd06932 100644 --- a/staging/src/k8s.io/api/policy/v1beta1/types.go +++ b/staging/src/k8s.io/api/policy/v1beta1/types.go @@ -216,6 +216,10 @@ type PodSecurityPolicySpec struct { // is allowed in the "volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` + // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // An empty value means no CSI drivers can run inline within a pod spec. + // +optional + AllowedCSIDrivers []AllowedCSIDriver `json:"allowedCSIDrivers,omitempty" protobuf:"bytes,23,rep,name=allowedCSIDrivers"` // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. @@ -304,6 +308,12 @@ type AllowedFlexVolume struct { Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` } +// AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used. +type AllowedCSIDriver struct { + // Name is the registered name of the CSI driver + Name string `json:"name" protobuf:"bytes,1,opt,name=name"` +} + // HostPortRange defines a range of host ports that will be enabled by a policy // for pods to use. It requires both the start and end to be defined. type HostPortRange struct {