diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index b17dd6df5a58..cb264a8ab263 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -15765,27 +15765,27 @@ "description": "CSIDriverSpec is the specification of a CSIDriver.", "properties": { "attachRequired": { - "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.", + "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.", "type": "boolean" }, "fsGroupPolicy": { - "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.", + "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.\n\nThis field is immutable.", "type": "string" }, "podInfoOnMount": { - "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.", + "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field is immutable.", "type": "boolean" }, "requiresRepublish": { - "description": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", + "description": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", "type": "boolean" }, "storageCapacity": { - "description": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", + "description": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field is immutable.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", "type": "boolean" }, "tokenRequests": { - "description": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", + "description": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", "items": { "$ref": "#/definitions/io.k8s.api.storage.v1.TokenRequest" }, @@ -15793,7 +15793,7 @@ "x-kubernetes-list-type": "atomic" }, "volumeLifecycleModes": { - "description": "volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.", + "description": "volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.\n\nThis field is immutable.", "items": { "type": "string" }, @@ -16500,27 +16500,27 @@ "description": "CSIDriverSpec is the specification of a CSIDriver.", "properties": { "attachRequired": { - "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.", + "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.", "type": "boolean" }, "fsGroupPolicy": { - "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.", + "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.\n\nThis field is immutable.", "type": "string" }, "podInfoOnMount": { - "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.", + "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field is immutable.", "type": "boolean" }, "requiresRepublish": { - "description": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", + "description": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", "type": "boolean" }, "storageCapacity": { - "description": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", + "description": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field is immutable.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", "type": "boolean" }, "tokenRequests": { - "description": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", + "description": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", "items": { "$ref": "#/definitions/io.k8s.api.storage.v1beta1.TokenRequest" }, @@ -16528,7 +16528,7 @@ "x-kubernetes-list-type": "atomic" }, "volumeLifecycleModes": { - "description": "VolumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.", + "description": "VolumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.\n\nThis field is immutable.", "items": { "type": "string" }, diff --git a/pkg/apis/storage/types.go b/pkg/apis/storage/types.go index 1c28a7eb9169..09e8cd4700c0 100644 --- a/pkg/apis/storage/types.go +++ b/pkg/apis/storage/types.go @@ -274,6 +274,9 @@ type CSIDriverSpec struct { // If the CSIDriverRegistry feature gate is enabled and the value is // specified to false, the attach operation will be skipped. // Otherwise the attach operation will be called. + // + // This field is immutable. + // // +optional AttachRequired *bool @@ -282,6 +285,9 @@ type CSIDriverSpec struct { // Refer to the specific FSGroupPolicy values for additional details. // This field is alpha-level, and is only honored by servers // that enable the CSIVolumeFSGroupPolicy feature gate. + // + // This field is immutable. + // // +optional FSGroupPolicy *FSGroupPolicy @@ -309,6 +315,9 @@ type CSIDriverSpec struct { // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when // deployed on such a cluster and the deployment determines which mode that is, for example // via a command line parameter of the driver. + // + // This field is immutable. + // // +optional PodInfoOnMount *bool @@ -324,6 +333,9 @@ type CSIDriverSpec struct { // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html // A driver can support one or more of these mode and // more modes may be added in the future. + // + // This field is immutable. + // // +optional VolumeLifecycleModes []VolumeLifecycleMode @@ -341,6 +353,8 @@ type CSIDriverSpec struct { // unset or false and it can be flipped later when storage // capacity information has been published. // + // This field is immutable. + // // This is a beta field and only available when the CSIStorageCapacity // feature is enabled. The default is false. // @@ -363,7 +377,7 @@ type CSIDriverSpec struct { // most one token is empty string. To receive a new token after expiry, // RequiresRepublish can be used to trigger NodePublishVolume periodically. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional @@ -378,7 +392,7 @@ type CSIDriverSpec struct { // to NodePublishVolume should only update the contents of the volume. New // mount points will not be seen by a running container. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional diff --git a/pkg/apis/storage/validation/validation.go b/pkg/apis/storage/validation/validation.go index f168973e0531..6f4e34e6414b 100644 --- a/pkg/apis/storage/validation/validation.go +++ b/pkg/apis/storage/validation/validation.go @@ -425,11 +425,14 @@ func ValidateCSIDriver(csiDriver *storage.CSIDriver) field.ErrorList { func ValidateCSIDriverUpdate(new, old *storage.CSIDriver) field.ErrorList { allErrs := apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata")) - // Spec is read-only - // If this ever relaxes in the future, make sure to increment the Generation number in PrepareForUpdate - if !apiequality.Semantic.DeepEqual(old.Spec, new.Spec) { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), new.Spec, "field is immutable")) - } + // immutable fields should not be mutated. + allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.AttachRequired, old.Spec.AttachRequired, field.NewPath("spec", "attachedRequired"))...) + allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.FSGroupPolicy, old.Spec.FSGroupPolicy, field.NewPath("spec", "fsGroupPolicy"))...) + allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.PodInfoOnMount, old.Spec.PodInfoOnMount, field.NewPath("spec", "podInfoOnMount"))...) + allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.VolumeLifecycleModes, old.Spec.VolumeLifecycleModes, field.NewPath("spec", "volumeLifecycleModes"))...) + allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.StorageCapacity, old.Spec.StorageCapacity, field.NewPath("spec", "storageCapacity"))...) + + allErrs = append(allErrs, validateTokenRequests(new.Spec.TokenRequests, field.NewPath("spec", "tokenRequests"))...) return allErrs } diff --git a/pkg/apis/storage/validation/validation_test.go b/pkg/apis/storage/validation/validation_test.go index df04e215e7e2..d5b5de667834 100644 --- a/pkg/apis/storage/validation/validation_test.go +++ b/pkg/apis/storage/validation/validation_test.go @@ -1927,11 +1927,11 @@ func TestCSIDriverValidationUpdate(t *testing.T) { podInfoOnMount := true storageCapacity := true notPodInfoOnMount := false + gcp := "gcp" + requiresRepublish := true notRequiresRepublish := false notStorageCapacity := false resourceVersion := "1" - invalidFSGroupPolicy := storage.ReadWriteOnceWithFSTypeFSGroupPolicy - invalidFSGroupPolicy = "invalid-mode" old := storage.CSIDriver{ ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion}, Spec: storage.CSIDriverSpec{ @@ -1946,30 +1946,35 @@ func TestCSIDriverValidationUpdate(t *testing.T) { }, } - // Currently we compare the object against itself - // and ensure updates succeed - successCases := []storage.CSIDriver{ - old, - // An invalid FSGroupPolicy should still pass + successCases := []struct { + name string + modify func(new *storage.CSIDriver) + }{ { - ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion}, - Spec: storage.CSIDriverSpec{ - AttachRequired: &attachNotRequired, - PodInfoOnMount: ¬PodInfoOnMount, - VolumeLifecycleModes: []storage.VolumeLifecycleMode{ - storage.VolumeLifecycleEphemeral, - storage.VolumeLifecyclePersistent, - }, - FSGroupPolicy: &invalidFSGroupPolicy, - StorageCapacity: &storageCapacity, + name: "no change", + modify: func(new *storage.CSIDriver) {}, + }, + { + name: "change TokenRequests", + modify: func(new *storage.CSIDriver) { + new.Spec.TokenRequests = []storage.TokenRequest{{Audience: gcp}} + }, + }, + { + name: "change RequiresRepublish", + modify: func(new *storage.CSIDriver) { + new.Spec.RequiresRepublish = &requiresRepublish }, }, } - for _, csiDriver := range successCases { - newDriver := csiDriver.DeepCopy() - if errs := ValidateCSIDriverUpdate(&csiDriver, newDriver); len(errs) != 0 { - t.Errorf("expected success for %+v: %v", csiDriver, errs) - } + for _, test := range successCases { + t.Run(test.name, func(t *testing.T) { + new := old.DeepCopy() + test.modify(new) + if errs := ValidateCSIDriverUpdate(new, &old); len(errs) != 0 { + t.Errorf("Expected success for %+v: %v", new, errs) + } + }) } // Each test case changes exactly one field. None of that is valid. @@ -1996,15 +2001,15 @@ func TestCSIDriverValidationUpdate(t *testing.T) { }, }, { - name: "PodInfoOnMount not set", + name: "AttachRequired changed", modify: func(new *storage.CSIDriver) { - new.Spec.PodInfoOnMount = nil + new.Spec.AttachRequired = &attachRequired }, }, { - name: "AttachRequired changed", + name: "PodInfoOnMount not set", modify: func(new *storage.CSIDriver) { - new.Spec.AttachRequired = &attachRequired + new.Spec.PodInfoOnMount = nil }, }, { @@ -2064,6 +2069,12 @@ func TestCSIDriverValidationUpdate(t *testing.T) { new.Spec.StorageCapacity = ¬StorageCapacity }, }, + { + name: "TokenRequests invalidated", + modify: func(new *storage.CSIDriver) { + new.Spec.TokenRequests = []storage.TokenRequest{{Audience: gcp}, {Audience: gcp}} + }, + }, } for _, test := range errorCases { @@ -2071,7 +2082,7 @@ func TestCSIDriverValidationUpdate(t *testing.T) { new := old.DeepCopy() test.modify(new) if errs := ValidateCSIDriverUpdate(new, &old); len(errs) == 0 { - t.Errorf("Expected failure for test: %v", new) + t.Errorf("Expected failure for test: %+v", new) } }) } @@ -2253,7 +2264,7 @@ func TestCSIServiceAccountToken(t *testing.T) { wantErr: true, }, { - desc: "invalid - TokenRequests has tokens with ExpirationSeconds less than 10min", + desc: "invalid - TokenRequests has tokens with ExpirationSeconds longer than 1<<32 min", csiDriver: &storage.CSIDriver{ ObjectMeta: metav1.ObjectMeta{Name: driverName}, Spec: storage.CSIDriverSpec{ diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index c3062d3ae226..5311041a089e 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -656,6 +656,7 @@ const ( // owner: @zshihang // alpha: v1.20 + // beta: v1.21 // // Enable kubelet to pass pod's service account token to NodePublishVolume // call of CSI driver which is mounting volumes for that pod. @@ -801,7 +802,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS BalanceAttachedNodeVolumes: {Default: false, PreRelease: featuregate.Alpha}, CSIInlineVolume: {Default: true, PreRelease: featuregate.Beta}, CSIStorageCapacity: {Default: true, PreRelease: featuregate.Beta}, - CSIServiceAccountToken: {Default: false, PreRelease: featuregate.Alpha}, + CSIServiceAccountToken: {Default: true, PreRelease: featuregate.Beta}, GenericEphemeralVolume: {Default: true, PreRelease: featuregate.Beta}, CSIVolumeFSGroupPolicy: {Default: true, PreRelease: featuregate.Beta}, RuntimeClass: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23 diff --git a/pkg/registry/storage/csidriver/strategy.go b/pkg/registry/storage/csidriver/strategy.go index ec600ac41092..46ae526493f8 100644 --- a/pkg/registry/storage/csidriver/strategy.go +++ b/pkg/registry/storage/csidriver/strategy.go @@ -19,6 +19,7 @@ package csidriver import ( "context" + apiequality "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/storage/names" @@ -64,10 +65,7 @@ func (csiDriverStrategy) PrepareForCreate(ctx context.Context, obj runtime.Objec func (csiDriverStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList { csiDriver := obj.(*storage.CSIDriver) - errs := validation.ValidateCSIDriver(csiDriver) - errs = append(errs, validation.ValidateCSIDriver(csiDriver)...) - - return errs + return validation.ValidateCSIDriver(csiDriver) } // Canonicalize normalizes the object after validation. @@ -82,31 +80,33 @@ func (csiDriverStrategy) AllowCreateOnUpdate() bool { // existing object does not already have that field set. This allows the field to remain when // downgrading to a version that has the feature disabled. func (csiDriverStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) { - if old.(*storage.CSIDriver).Spec.StorageCapacity == nil && + newCSIDriver := obj.(*storage.CSIDriver) + oldCSIDriver := old.(*storage.CSIDriver) + + if oldCSIDriver.Spec.StorageCapacity == nil && !utilfeature.DefaultFeatureGate.Enabled(features.CSIStorageCapacity) { - newCSIDriver := obj.(*storage.CSIDriver) newCSIDriver.Spec.StorageCapacity = nil } - if old.(*storage.CSIDriver).Spec.VolumeLifecycleModes == nil && + if oldCSIDriver.Spec.VolumeLifecycleModes == nil && !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) { - newCSIDriver := obj.(*storage.CSIDriver) newCSIDriver.Spec.VolumeLifecycleModes = nil } - if old.(*storage.CSIDriver).Spec.FSGroupPolicy == nil && + if oldCSIDriver.Spec.FSGroupPolicy == nil && !utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) { - newCSIDriver := obj.(*storage.CSIDriver) newCSIDriver.Spec.FSGroupPolicy = nil } - if old.(*storage.CSIDriver).Spec.TokenRequests == nil && + if oldCSIDriver.Spec.TokenRequests == nil && !utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) { - csiDriver := obj.(*storage.CSIDriver) - csiDriver.Spec.TokenRequests = nil + newCSIDriver.Spec.TokenRequests = nil } - - if old.(*storage.CSIDriver).Spec.RequiresRepublish == nil && + if oldCSIDriver.Spec.RequiresRepublish == nil && !utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) { - csiDriver := obj.(*storage.CSIDriver) - csiDriver.Spec.RequiresRepublish = nil + newCSIDriver.Spec.RequiresRepublish = nil + } + + // Any changes to the mutable fields increment the generation number. + if !apiequality.Semantic.DeepEqual(oldCSIDriver.Spec.TokenRequests, newCSIDriver.Spec.TokenRequests) || !apiequality.Semantic.DeepEqual(oldCSIDriver.Spec.RequiresRepublish, newCSIDriver.Spec.RequiresRepublish) { + newCSIDriver.Generation = oldCSIDriver.Generation + 1 } } diff --git a/pkg/registry/storage/csidriver/strategy_test.go b/pkg/registry/storage/csidriver/strategy_test.go index c8a1006f7542..1fa6ba0aa698 100644 --- a/pkg/registry/storage/csidriver/strategy_test.go +++ b/pkg/registry/storage/csidriver/strategy_test.go @@ -275,6 +275,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) { wantModes []storage.VolumeLifecycleMode wantTokenRequests []storage.TokenRequest wantRequiresRepublish *bool + wantGeneration int64 }{ { name: "capacity feature enabled, before: none, update: enabled", @@ -321,6 +322,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) { update: driverWithServiceAccountTokenGCP, wantTokenRequests: []storage.TokenRequest{{Audience: gcp}}, wantRequiresRepublish: &enabled, + wantGeneration: 1, }, { name: "service account token feature disabled, before: none, update: audience=gcp", @@ -335,6 +337,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) { update: driverWithServiceAccountTokenGCP, wantTokenRequests: []storage.TokenRequest{{Audience: gcp}}, wantRequiresRepublish: &enabled, + wantGeneration: 1, }, } @@ -346,6 +349,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) { csiDriver := test.update.DeepCopy() Strategy.PrepareForUpdate(ctx, csiDriver, test.old) + require.Equal(t, test.wantGeneration, csiDriver.GetGeneration()) require.Equal(t, test.wantCapacity, csiDriver.Spec.StorageCapacity) require.Equal(t, test.wantModes, csiDriver.Spec.VolumeLifecycleModes) require.Equal(t, test.wantTokenRequests, csiDriver.Spec.TokenRequests) diff --git a/staging/src/k8s.io/api/storage/v1/generated.proto b/staging/src/k8s.io/api/storage/v1/generated.proto index 46ac1fcb814d..0e9a2e1da3f9 100644 --- a/staging/src/k8s.io/api/storage/v1/generated.proto +++ b/staging/src/k8s.io/api/storage/v1/generated.proto @@ -72,6 +72,9 @@ message CSIDriverSpec { // If the CSIDriverRegistry feature gate is enabled and the value is // specified to false, the attach operation will be skipped. // Otherwise the attach operation will be called. + // + // This field is immutable. + // // +optional optional bool attachRequired = 1; @@ -99,6 +102,9 @@ message CSIDriverSpec { // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when // deployed on such a cluster and the deployment determines which mode that is, for example // via a command line parameter of the driver. + // + // This field is immutable. + // // +optional optional bool podInfoOnMount = 2; @@ -115,6 +121,9 @@ message CSIDriverSpec { // A driver can support one or more of these modes and // more modes may be added in the future. // This field is beta. + // + // This field is immutable. + // // +optional // +listType=set repeated string volumeLifecycleModes = 3; @@ -133,6 +142,8 @@ message CSIDriverSpec { // unset or false and it can be flipped later when storage // capacity information has been published. // + // This field is immutable. + // // This is a beta field and only available when the CSIStorageCapacity // feature is enabled. The default is false. // @@ -145,6 +156,9 @@ message CSIDriverSpec { // Refer to the specific FSGroupPolicy values for additional details. // This field is alpha-level, and is only honored by servers // that enable the CSIVolumeFSGroupPolicy feature gate. + // + // This field is immutable. + // // +optional optional string fsGroupPolicy = 5; @@ -164,7 +178,7 @@ message CSIDriverSpec { // most one token is empty string. To receive a new token after expiry, // RequiresRepublish can be used to trigger NodePublishVolume periodically. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional @@ -179,7 +193,7 @@ message CSIDriverSpec { // to NodePublishVolume should only update the contents of the volume. New // mount points will not be seen by a running container. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional diff --git a/staging/src/k8s.io/api/storage/v1/types.go b/staging/src/k8s.io/api/storage/v1/types.go index ba27fa36852f..6a7bf492920a 100644 --- a/staging/src/k8s.io/api/storage/v1/types.go +++ b/staging/src/k8s.io/api/storage/v1/types.go @@ -270,6 +270,9 @@ type CSIDriverSpec struct { // If the CSIDriverRegistry feature gate is enabled and the value is // specified to false, the attach operation will be skipped. // Otherwise the attach operation will be called. + // + // This field is immutable. + // // +optional AttachRequired *bool `json:"attachRequired,omitempty" protobuf:"varint,1,opt,name=attachRequired"` @@ -297,6 +300,9 @@ type CSIDriverSpec struct { // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when // deployed on such a cluster and the deployment determines which mode that is, for example // via a command line parameter of the driver. + // + // This field is immutable. + // // +optional PodInfoOnMount *bool `json:"podInfoOnMount,omitempty" protobuf:"bytes,2,opt,name=podInfoOnMount"` @@ -313,6 +319,9 @@ type CSIDriverSpec struct { // A driver can support one or more of these modes and // more modes may be added in the future. // This field is beta. + // + // This field is immutable. + // // +optional // +listType=set VolumeLifecycleModes []VolumeLifecycleMode `json:"volumeLifecycleModes,omitempty" protobuf:"bytes,3,opt,name=volumeLifecycleModes"` @@ -331,6 +340,8 @@ type CSIDriverSpec struct { // unset or false and it can be flipped later when storage // capacity information has been published. // + // This field is immutable. + // // This is a beta field and only available when the CSIStorageCapacity // feature is enabled. The default is false. // @@ -343,6 +354,9 @@ type CSIDriverSpec struct { // Refer to the specific FSGroupPolicy values for additional details. // This field is alpha-level, and is only honored by servers // that enable the CSIVolumeFSGroupPolicy feature gate. + // + // This field is immutable. + // // +optional FSGroupPolicy *FSGroupPolicy `json:"fsGroupPolicy,omitempty" protobuf:"bytes,5,opt,name=fsGroupPolicy"` @@ -362,7 +376,7 @@ type CSIDriverSpec struct { // most one token is empty string. To receive a new token after expiry, // RequiresRepublish can be used to trigger NodePublishVolume periodically. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional @@ -377,7 +391,7 @@ type CSIDriverSpec struct { // to NodePublishVolume should only update the contents of the volume. New // mount points will not be seen by a running container. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional diff --git a/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go index c8b3c63f3f51..a9c7cc9afddb 100644 --- a/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go @@ -49,13 +49,13 @@ func (CSIDriverList) SwaggerDoc() map[string]string { var map_CSIDriverSpec = map[string]string{ "": "CSIDriverSpec is the specification of a CSIDriver.", - "attachRequired": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.", - "podInfoOnMount": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.", - "volumeLifecycleModes": "volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.", - "storageCapacity": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", - "fsGroupPolicy": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.", - "tokenRequests": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", - "requiresRepublish": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", + "attachRequired": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.", + "podInfoOnMount": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field is immutable.", + "volumeLifecycleModes": "volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.\n\nThis field is immutable.", + "storageCapacity": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field is immutable.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", + "fsGroupPolicy": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.\n\nThis field is immutable.", + "tokenRequests": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", + "requiresRepublish": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", } func (CSIDriverSpec) SwaggerDoc() map[string]string { diff --git a/staging/src/k8s.io/api/storage/v1beta1/generated.proto b/staging/src/k8s.io/api/storage/v1beta1/generated.proto index a1555ee31d88..5ed6413ec0e0 100644 --- a/staging/src/k8s.io/api/storage/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/storage/v1beta1/generated.proto @@ -76,6 +76,9 @@ message CSIDriverSpec { // If the CSIDriverRegistry feature gate is enabled and the value is // specified to false, the attach operation will be skipped. // Otherwise the attach operation will be called. + // + // This field is immutable. + // // +optional optional bool attachRequired = 1; @@ -103,6 +106,9 @@ message CSIDriverSpec { // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when // deployed on such a cluster and the deployment determines which mode that is, for example // via a command line parameter of the driver. + // + // This field is immutable. + // // +optional optional bool podInfoOnMount = 2; @@ -118,6 +124,9 @@ message CSIDriverSpec { // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html // A driver can support one or more of these modes and // more modes may be added in the future. + // + // This field is immutable. + // // +optional repeated string volumeLifecycleModes = 3; @@ -135,6 +144,8 @@ message CSIDriverSpec { // unset or false and it can be flipped later when storage // capacity information has been published. // + // This field is immutable. + // // This is a beta field and only available when the CSIStorageCapacity // feature is enabled. The default is false. // @@ -147,6 +158,9 @@ message CSIDriverSpec { // Refer to the specific FSGroupPolicy values for additional details. // This field is alpha-level, and is only honored by servers // that enable the CSIVolumeFSGroupPolicy feature gate. + // + // This field is immutable. + // // +optional optional string fsGroupPolicy = 5; @@ -166,7 +180,7 @@ message CSIDriverSpec { // most one token is empty string. To receive a new token after expiry, // RequiresRepublish can be used to trigger NodePublishVolume periodically. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional @@ -181,7 +195,7 @@ message CSIDriverSpec { // to NodePublishVolume should only update the contents of the volume. New // mount points will not be seen by a running container. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional diff --git a/staging/src/k8s.io/api/storage/v1beta1/types.go b/staging/src/k8s.io/api/storage/v1beta1/types.go index 1a20de64ecb7..d1ffe7a0ec59 100644 --- a/staging/src/k8s.io/api/storage/v1beta1/types.go +++ b/staging/src/k8s.io/api/storage/v1beta1/types.go @@ -292,6 +292,9 @@ type CSIDriverSpec struct { // If the CSIDriverRegistry feature gate is enabled and the value is // specified to false, the attach operation will be skipped. // Otherwise the attach operation will be called. + // + // This field is immutable. + // // +optional AttachRequired *bool `json:"attachRequired,omitempty" protobuf:"varint,1,opt,name=attachRequired"` @@ -319,6 +322,9 @@ type CSIDriverSpec struct { // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when // deployed on such a cluster and the deployment determines which mode that is, for example // via a command line parameter of the driver. + // + // This field is immutable. + // // +optional PodInfoOnMount *bool `json:"podInfoOnMount,omitempty" protobuf:"bytes,2,opt,name=podInfoOnMount"` @@ -334,6 +340,9 @@ type CSIDriverSpec struct { // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html // A driver can support one or more of these modes and // more modes may be added in the future. + // + // This field is immutable. + // // +optional VolumeLifecycleModes []VolumeLifecycleMode `json:"volumeLifecycleModes,omitempty" protobuf:"bytes,3,opt,name=volumeLifecycleModes"` @@ -352,6 +361,8 @@ type CSIDriverSpec struct { // unset or false and it can be flipped later when storage // capacity information has been published. // + // This field is immutable. + // // This is a beta field and only available when the CSIStorageCapacity // feature is enabled. The default is false. // @@ -364,6 +375,9 @@ type CSIDriverSpec struct { // Refer to the specific FSGroupPolicy values for additional details. // This field is alpha-level, and is only honored by servers // that enable the CSIVolumeFSGroupPolicy feature gate. + // + // This field is immutable. + // // +optional FSGroupPolicy *FSGroupPolicy `json:"fsGroupPolicy,omitempty" protobuf:"bytes,5,opt,name=fsGroupPolicy"` @@ -383,7 +397,7 @@ type CSIDriverSpec struct { // most one token is empty string. To receive a new token after expiry, // RequiresRepublish can be used to trigger NodePublishVolume periodically. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional @@ -398,7 +412,7 @@ type CSIDriverSpec struct { // to NodePublishVolume should only update the contents of the volume. New // mount points will not be seen by a running container. // - // This is an alpha feature and only available when the + // This is a beta feature and only available when the // CSIServiceAccountToken feature is enabled. // // +optional diff --git a/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go index a12c9bf3a107..0d03a30b4f71 100644 --- a/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go @@ -49,13 +49,13 @@ func (CSIDriverList) SwaggerDoc() map[string]string { var map_CSIDriverSpec = map[string]string{ "": "CSIDriverSpec is the specification of a CSIDriver.", - "attachRequired": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.", - "podInfoOnMount": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.", - "volumeLifecycleModes": "VolumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.", - "storageCapacity": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", - "fsGroupPolicy": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.", - "tokenRequests": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", - "requiresRepublish": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is an alpha feature and only available when the CSIServiceAccountToken feature is enabled.", + "attachRequired": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.", + "podInfoOnMount": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field is immutable.", + "volumeLifecycleModes": "VolumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.\n\nThis field is immutable.", + "storageCapacity": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field is immutable.\n\nThis is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.", + "fsGroupPolicy": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.\n\nThis field is immutable.", + "tokenRequests": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", + "requiresRepublish": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.\n\nThis is a beta feature and only available when the CSIServiceAccountToken feature is enabled.", } func (CSIDriverSpec) SwaggerDoc() map[string]string { diff --git a/test/e2e/storage/csi_mock_volume.go b/test/e2e/storage/csi_mock_volume.go index 0f8e184d22e9..2953865f543d 100644 --- a/test/e2e/storage/csi_mock_volume.go +++ b/test/e2e/storage/csi_mock_volume.go @@ -1368,7 +1368,7 @@ var _ = utils.SIGDescribe("CSI mock volume", func() { } }) - ginkgo.Context("CSIServiceAccountToken [Feature:CSIServiceAccountToken]", func() { + ginkgo.Context("CSIServiceAccountToken", func() { var ( err error )