From fd39d8277c83c34b3c0a855dd532ddeafd3d4bf6 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Mon, 14 May 2018 18:56:23 -0700 Subject: [PATCH] add api for service account token volume projection --- pkg/apis/core/types.go | 24 ++++++++++++++++++++ pkg/apis/core/v1/defaults.go | 8 +++++++ pkg/apis/core/validation/validation.go | 15 +++++++++++++ pkg/features/kube_features.go | 7 ++++++ staging/src/k8s.io/api/core/v1/types.go | 30 +++++++++++++++++++++++++ 5 files changed, 84 insertions(+) diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index 54c23ab719..a8786cf7ba 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -1391,6 +1391,28 @@ type ConfigMapProjection struct { Optional *bool } +// ServiceAccountTokenProjection represents a projected service account token +// volume. This projection can be used to insert a service account token into +// the pods runtime filesystem for use against APIs (Kubernetes API Server or +// otherwise). +type ServiceAccountTokenProjection struct { + // Audience is the intended audience of the token. A recipient of a token + // must identify itself with an identifier specified in the audience of the + // token, and otherwise should reject the token. The audience defaults to the + // identifier of the apiserver. + Audience string + // ExpirationSeconds is the requested duration of validity of the service + // account token. As the token approaches expiration, the kubelet volume + // plugin will proactively rotate the service account token. The kubelet will + // start trying to rotate the token if the token is older than 80 percent of + // its time to live or if the token is older than 24 hours.Defaults to 1 hour + // and must be at least 10 minutes. + ExpirationSeconds int64 + // Path is the path relative to the mount point of the file to project the + // token into. + Path string +} + // Represents a projected volume source type ProjectedVolumeSource struct { // list of volume projections @@ -1414,6 +1436,8 @@ type VolumeProjection struct { DownwardAPI *DownwardAPIProjection // information about the configMap data to project ConfigMap *ConfigMapProjection + // information about the serviceAccountToken data to project + ServiceAccountToken *ServiceAccountTokenProjection } // Maps a string key to a path within a volume. diff --git a/pkg/apis/core/v1/defaults.go b/pkg/apis/core/v1/defaults.go index 09ee8f3feb..110ef54df1 100644 --- a/pkg/apis/core/v1/defaults.go +++ b/pkg/apis/core/v1/defaults.go @@ -17,6 +17,8 @@ limitations under the License. package v1 import ( + "time" + "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/intstr" @@ -223,6 +225,12 @@ func SetDefaults_ProjectedVolumeSource(obj *v1.ProjectedVolumeSource) { obj.DefaultMode = &perm } } +func SetDefaults_ServiceAccountTokenProjection(obj *v1.ServiceAccountTokenProjection) { + hour := int64(time.Hour.Seconds()) + if obj.ExpirationSeconds == nil { + obj.ExpirationSeconds = &hour + } +} func SetDefaults_PersistentVolume(obj *v1.PersistentVolume) { if obj.Status.Phase == "" { obj.Status.Phase = v1.VolumePending diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index 6a01b7f625..915f2495ff 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -1039,6 +1039,21 @@ func validateProjectionSources(projection *core.ProjectedVolumeSource, projectio } } } + if projPath := fldPath.Child("serviceAccountToken"); source.ServiceAccountToken != nil { + numSources++ + if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) { + allErrs = append(allErrs, field.Forbidden(projPath, "TokenRequestProjection feature is not enabled")) + } + if source.ServiceAccountToken.ExpirationSeconds < 10*60 { + allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration less than 10 minutes")) + } + if source.ServiceAccountToken.ExpirationSeconds > 1<<32 { + allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds")) + } + if source.ServiceAccountToken.Path == "" { + allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) + } + } if numSources > 1 { allErrs = append(allErrs, field.Forbidden(srcPath, "may not specify more than 1 volume type")) } diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index e95a0fcc15..d3b775b561 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -248,6 +248,12 @@ const ( // Implement TokenRequest endpoint on service account resources. TokenRequest utilfeature.Feature = "TokenRequest" + // owner: @mikedanese + // alpha: v1.11 + // + // Enable ServiceAccountTokenVolumeProjection support in ProjectedVolumes. + TokenRequestProjection utilfeature.Feature = "TokenRequestProjection" + // owner: @Random-Liu // beta: v1.11 // @@ -329,6 +335,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS HyperVContainer: {Default: false, PreRelease: utilfeature.Alpha}, ScheduleDaemonSetPods: {Default: false, PreRelease: utilfeature.Alpha}, TokenRequest: {Default: false, PreRelease: utilfeature.Alpha}, + TokenRequestProjection: {Default: false, PreRelease: utilfeature.Alpha}, CRIContainerLogRotation: {Default: true, PreRelease: utilfeature.Beta}, GCERegionalPersistentDisk: {Default: true, PreRelease: utilfeature.Beta}, RunAsGroup: {Default: false, PreRelease: utilfeature.Alpha}, diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index e46e9db0a7..c08a38d88b 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -1466,6 +1466,30 @@ type ConfigMapProjection struct { Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"` } +// ServiceAccountTokenProjection represents a projected service account token +// volume. This projection can be used to insert a service account token into +// the pods runtime filesystem for use against APIs (Kubernetes API Server or +// otherwise). +type ServiceAccountTokenProjection struct { + // Audience is the intended audience of the token. A recipient of a token + // must identify itself with an identifier specified in the audience of the + // token, and otherwise should reject the token. The audience defaults to the + // identifier of the apiserver. + //+optional + Audience string `json:"audience,omitempty" protobuf:"bytes,1,rep,name=audience"` + // ExpirationSeconds is the requested duration of validity of the service + // account token. As the token approaches expiration, the kubelet volume + // plugin will proactively rotate the service account token. The kubelet will + // start trying to rotate the token if the token is older than 80 percent of + // its time to live or if the token is older than 24 hours.Defaults to 1 hour + // and must be at least 10 minutes. + //+optional + ExpirationSeconds *int64 `json:"expirationSeconds,omitempty" protobuf:"varint,2,opt,name=expirationSeconds"` + // Path is the path relative to the mount point of the file to project the + // token into. + Path string `json:"path" protobuf:"bytes,3,opt,name=path"` +} + // Represents a projected volume source type ProjectedVolumeSource struct { // list of volume projections @@ -1484,11 +1508,17 @@ type VolumeProjection struct { // all types below are the supported types for projection into the same volume // information about the secret data to project + // +optional Secret *SecretProjection `json:"secret,omitempty" protobuf:"bytes,1,opt,name=secret"` // information about the downwardAPI data to project + // +optional DownwardAPI *DownwardAPIProjection `json:"downwardAPI,omitempty" protobuf:"bytes,2,opt,name=downwardAPI"` // information about the configMap data to project + // +optional ConfigMap *ConfigMapProjection `json:"configMap,omitempty" protobuf:"bytes,3,opt,name=configMap"` + // information about the serviceAccountToken data to project + // +optional + ServiceAccountToken *ServiceAccountTokenProjection `json:"serviceAccountToken,omitempty" protobuf:"bytes,4,opt,name=serviceAccountToken"` } const (