mirror of https://github.com/k3s-io/k3s
add api for service account token volume projection
parent
7cc1103011
commit
fd39d8277c
|
@ -1391,6 +1391,28 @@ type ConfigMapProjection struct {
|
||||||
Optional *bool
|
Optional *bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ServiceAccountTokenProjection represents a projected service account token
|
||||||
|
// volume. This projection can be used to insert a service account token into
|
||||||
|
// the pods runtime filesystem for use against APIs (Kubernetes API Server or
|
||||||
|
// otherwise).
|
||||||
|
type ServiceAccountTokenProjection struct {
|
||||||
|
// Audience is the intended audience of the token. A recipient of a token
|
||||||
|
// must identify itself with an identifier specified in the audience of the
|
||||||
|
// token, and otherwise should reject the token. The audience defaults to the
|
||||||
|
// identifier of the apiserver.
|
||||||
|
Audience string
|
||||||
|
// ExpirationSeconds is the requested duration of validity of the service
|
||||||
|
// account token. As the token approaches expiration, the kubelet volume
|
||||||
|
// plugin will proactively rotate the service account token. The kubelet will
|
||||||
|
// start trying to rotate the token if the token is older than 80 percent of
|
||||||
|
// its time to live or if the token is older than 24 hours.Defaults to 1 hour
|
||||||
|
// and must be at least 10 minutes.
|
||||||
|
ExpirationSeconds int64
|
||||||
|
// Path is the path relative to the mount point of the file to project the
|
||||||
|
// token into.
|
||||||
|
Path string
|
||||||
|
}
|
||||||
|
|
||||||
// Represents a projected volume source
|
// Represents a projected volume source
|
||||||
type ProjectedVolumeSource struct {
|
type ProjectedVolumeSource struct {
|
||||||
// list of volume projections
|
// list of volume projections
|
||||||
|
@ -1414,6 +1436,8 @@ type VolumeProjection struct {
|
||||||
DownwardAPI *DownwardAPIProjection
|
DownwardAPI *DownwardAPIProjection
|
||||||
// information about the configMap data to project
|
// information about the configMap data to project
|
||||||
ConfigMap *ConfigMapProjection
|
ConfigMap *ConfigMapProjection
|
||||||
|
// information about the serviceAccountToken data to project
|
||||||
|
ServiceAccountToken *ServiceAccountTokenProjection
|
||||||
}
|
}
|
||||||
|
|
||||||
// Maps a string key to a path within a volume.
|
// Maps a string key to a path within a volume.
|
||||||
|
|
|
@ -17,6 +17,8 @@ limitations under the License.
|
||||||
package v1
|
package v1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
"k8s.io/api/core/v1"
|
"k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/util/intstr"
|
"k8s.io/apimachinery/pkg/util/intstr"
|
||||||
|
@ -223,6 +225,12 @@ func SetDefaults_ProjectedVolumeSource(obj *v1.ProjectedVolumeSource) {
|
||||||
obj.DefaultMode = &perm
|
obj.DefaultMode = &perm
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
func SetDefaults_ServiceAccountTokenProjection(obj *v1.ServiceAccountTokenProjection) {
|
||||||
|
hour := int64(time.Hour.Seconds())
|
||||||
|
if obj.ExpirationSeconds == nil {
|
||||||
|
obj.ExpirationSeconds = &hour
|
||||||
|
}
|
||||||
|
}
|
||||||
func SetDefaults_PersistentVolume(obj *v1.PersistentVolume) {
|
func SetDefaults_PersistentVolume(obj *v1.PersistentVolume) {
|
||||||
if obj.Status.Phase == "" {
|
if obj.Status.Phase == "" {
|
||||||
obj.Status.Phase = v1.VolumePending
|
obj.Status.Phase = v1.VolumePending
|
||||||
|
|
|
@ -1039,6 +1039,21 @@ func validateProjectionSources(projection *core.ProjectedVolumeSource, projectio
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if projPath := fldPath.Child("serviceAccountToken"); source.ServiceAccountToken != nil {
|
||||||
|
numSources++
|
||||||
|
if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) {
|
||||||
|
allErrs = append(allErrs, field.Forbidden(projPath, "TokenRequestProjection feature is not enabled"))
|
||||||
|
}
|
||||||
|
if source.ServiceAccountToken.ExpirationSeconds < 10*60 {
|
||||||
|
allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
|
||||||
|
}
|
||||||
|
if source.ServiceAccountToken.ExpirationSeconds > 1<<32 {
|
||||||
|
allErrs = append(allErrs, field.Invalid(projPath.Child("expirationSeconds"), source.ServiceAccountToken.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds"))
|
||||||
|
}
|
||||||
|
if source.ServiceAccountToken.Path == "" {
|
||||||
|
allErrs = append(allErrs, field.Required(fldPath.Child("path"), ""))
|
||||||
|
}
|
||||||
|
}
|
||||||
if numSources > 1 {
|
if numSources > 1 {
|
||||||
allErrs = append(allErrs, field.Forbidden(srcPath, "may not specify more than 1 volume type"))
|
allErrs = append(allErrs, field.Forbidden(srcPath, "may not specify more than 1 volume type"))
|
||||||
}
|
}
|
||||||
|
|
|
@ -248,6 +248,12 @@ const (
|
||||||
// Implement TokenRequest endpoint on service account resources.
|
// Implement TokenRequest endpoint on service account resources.
|
||||||
TokenRequest utilfeature.Feature = "TokenRequest"
|
TokenRequest utilfeature.Feature = "TokenRequest"
|
||||||
|
|
||||||
|
// owner: @mikedanese
|
||||||
|
// alpha: v1.11
|
||||||
|
//
|
||||||
|
// Enable ServiceAccountTokenVolumeProjection support in ProjectedVolumes.
|
||||||
|
TokenRequestProjection utilfeature.Feature = "TokenRequestProjection"
|
||||||
|
|
||||||
// owner: @Random-Liu
|
// owner: @Random-Liu
|
||||||
// beta: v1.11
|
// beta: v1.11
|
||||||
//
|
//
|
||||||
|
@ -329,6 +335,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
|
||||||
HyperVContainer: {Default: false, PreRelease: utilfeature.Alpha},
|
HyperVContainer: {Default: false, PreRelease: utilfeature.Alpha},
|
||||||
ScheduleDaemonSetPods: {Default: false, PreRelease: utilfeature.Alpha},
|
ScheduleDaemonSetPods: {Default: false, PreRelease: utilfeature.Alpha},
|
||||||
TokenRequest: {Default: false, PreRelease: utilfeature.Alpha},
|
TokenRequest: {Default: false, PreRelease: utilfeature.Alpha},
|
||||||
|
TokenRequestProjection: {Default: false, PreRelease: utilfeature.Alpha},
|
||||||
CRIContainerLogRotation: {Default: true, PreRelease: utilfeature.Beta},
|
CRIContainerLogRotation: {Default: true, PreRelease: utilfeature.Beta},
|
||||||
GCERegionalPersistentDisk: {Default: true, PreRelease: utilfeature.Beta},
|
GCERegionalPersistentDisk: {Default: true, PreRelease: utilfeature.Beta},
|
||||||
RunAsGroup: {Default: false, PreRelease: utilfeature.Alpha},
|
RunAsGroup: {Default: false, PreRelease: utilfeature.Alpha},
|
||||||
|
|
|
@ -1466,6 +1466,30 @@ type ConfigMapProjection struct {
|
||||||
Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"`
|
Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ServiceAccountTokenProjection represents a projected service account token
|
||||||
|
// volume. This projection can be used to insert a service account token into
|
||||||
|
// the pods runtime filesystem for use against APIs (Kubernetes API Server or
|
||||||
|
// otherwise).
|
||||||
|
type ServiceAccountTokenProjection struct {
|
||||||
|
// Audience is the intended audience of the token. A recipient of a token
|
||||||
|
// must identify itself with an identifier specified in the audience of the
|
||||||
|
// token, and otherwise should reject the token. The audience defaults to the
|
||||||
|
// identifier of the apiserver.
|
||||||
|
//+optional
|
||||||
|
Audience string `json:"audience,omitempty" protobuf:"bytes,1,rep,name=audience"`
|
||||||
|
// ExpirationSeconds is the requested duration of validity of the service
|
||||||
|
// account token. As the token approaches expiration, the kubelet volume
|
||||||
|
// plugin will proactively rotate the service account token. The kubelet will
|
||||||
|
// start trying to rotate the token if the token is older than 80 percent of
|
||||||
|
// its time to live or if the token is older than 24 hours.Defaults to 1 hour
|
||||||
|
// and must be at least 10 minutes.
|
||||||
|
//+optional
|
||||||
|
ExpirationSeconds *int64 `json:"expirationSeconds,omitempty" protobuf:"varint,2,opt,name=expirationSeconds"`
|
||||||
|
// Path is the path relative to the mount point of the file to project the
|
||||||
|
// token into.
|
||||||
|
Path string `json:"path" protobuf:"bytes,3,opt,name=path"`
|
||||||
|
}
|
||||||
|
|
||||||
// Represents a projected volume source
|
// Represents a projected volume source
|
||||||
type ProjectedVolumeSource struct {
|
type ProjectedVolumeSource struct {
|
||||||
// list of volume projections
|
// list of volume projections
|
||||||
|
@ -1484,11 +1508,17 @@ type VolumeProjection struct {
|
||||||
// all types below are the supported types for projection into the same volume
|
// all types below are the supported types for projection into the same volume
|
||||||
|
|
||||||
// information about the secret data to project
|
// information about the secret data to project
|
||||||
|
// +optional
|
||||||
Secret *SecretProjection `json:"secret,omitempty" protobuf:"bytes,1,opt,name=secret"`
|
Secret *SecretProjection `json:"secret,omitempty" protobuf:"bytes,1,opt,name=secret"`
|
||||||
// information about the downwardAPI data to project
|
// information about the downwardAPI data to project
|
||||||
|
// +optional
|
||||||
DownwardAPI *DownwardAPIProjection `json:"downwardAPI,omitempty" protobuf:"bytes,2,opt,name=downwardAPI"`
|
DownwardAPI *DownwardAPIProjection `json:"downwardAPI,omitempty" protobuf:"bytes,2,opt,name=downwardAPI"`
|
||||||
// information about the configMap data to project
|
// information about the configMap data to project
|
||||||
|
// +optional
|
||||||
ConfigMap *ConfigMapProjection `json:"configMap,omitempty" protobuf:"bytes,3,opt,name=configMap"`
|
ConfigMap *ConfigMapProjection `json:"configMap,omitempty" protobuf:"bytes,3,opt,name=configMap"`
|
||||||
|
// information about the serviceAccountToken data to project
|
||||||
|
// +optional
|
||||||
|
ServiceAccountToken *ServiceAccountTokenProjection `json:"serviceAccountToken,omitempty" protobuf:"bytes,4,opt,name=serviceAccountToken"`
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
|
Loading…
Reference in New Issue