From 3215005f3ae746d21c9ab2ad92c1cb77eebffecf Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Wed, 25 Oct 2017 14:33:53 +0200 Subject: [PATCH] Secret updates - allow CSI to be used only via PersistentVolumes, no inline volumes in Pods - use CSIPersistentVolumeSource instead of CSIVolumeSource - update json and protobuf tags - use SecretReference instead of ObjectReference --- .../storage/container-storage-interface.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/contributors/design-proposals/storage/container-storage-interface.md b/contributors/design-proposals/storage/container-storage-interface.md index 2ed2a5081ea..f9cd310145d 100644 --- a/contributors/design-proposals/storage/container-storage-interface.md +++ b/contributors/design-proposals/storage/container-storage-interface.md @@ -234,10 +234,10 @@ The existing Kubernetes volume components (attach/detach controller, PVC/PV cont #### Proposed API -A new `CSIVolumeSource` object will be added to the Kubernetes API. It will be part of the existing `VolumeSource` and `PersistentVolumeSource` objects. This will enable Kubernetes users to use the new volume just like existing volume via a `PersistentVolume` or as a direct reference in a pod. +A new `CSIPersistentVolumeSource` object will be added to the Kubernetes API. It will be part of the existing `PersistentVolumeSource` objects and thus can be used only via PersistentVolumes. For now we do not consider allowing CSI volumes directly from Pods without PersistentVolumeClaim. ```GO -type CSIVolumeSource struct { +type CSIPersistentVolumeSource struct { // Driver is the name of the driver to use for this volume. // Required. Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` @@ -250,25 +250,25 @@ type CSIVolumeSource struct { // sensitive information to pass to the CSI driver during NodePublish. // This may be empty if no secret is required. If the secret object contains // more than one secret, all secrets are passed. - // This is a local object reference so only secrets within the same - // namespace as the pod or PVC referencing this volume can be referenced. // +optional - MountSecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,3,opt,name=secretRef"` + MountSecretRef *SecretReference `json:"mountSecretRef,omitempty" protobuf:"bytes,3,opt,name=mountSecretRef"` // Optional: AttachSecretRef is a reference to the secret object containing // sensitive information to pass to the CSI driver during ControllerPublish. // This may be empty if no secret is required. If the secret object contains // more than one secret, all secrets are passed. // +optional - AttachSecretRef *ObjectReference `json:"secretRef,omitempty" protobuf:"bytes,3,opt,name=secretRef"` + AttachSecretRef *SecretReference `json:"attachSecretRef,omitempty" protobuf:"bytes,4,opt,name=attachSecretRef"` // Optional: The value to pass to ControllerPublishVolumeRequest. // Defaults to false (read/write). // +optional - ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"` + ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,5,opt,name=readOnly"` } ``` +Note that both attach and mount secrets are in a dedicated namespace where external AttachController and kubelet has access and they should not be visible to regular users. It is expected that either admin or external provisioner create these secrets when creating corresponding PV. + #### Internal Interfaces The in-tree CSI volume plugin will implement the following internal Kubernetes volume interfaces: @@ -286,6 +286,8 @@ The in-tree volume plugin’s SetUp and TearDown methods will trigger the `NodeP The Kubernetes volume sub-system does not currently support block volumes (only file), so for alpha, the Kubernetes CSI volume plugin will only support file. +As part of kubelet work, NodeAuthorizer needs to be updated to allow kubelet accessing MountSecret for internal CSI volume plugin. + #### Attaching and Detaching The attach/detach controller,running as part of the kube-controller-manager binary on the master, decides when a CSI volume must be attached or detached from a particular node.