@@ -810,15 +810,13 @@ spec:
810810 volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
811811 If specified, the CSI driver will create or update the volume with the attributes defined
812812 in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
813- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
814- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
815- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
816- will be set by the persistentvolume controller if it exists.
813+ it can be changed after the claim is created. An empty string or nil value indicates that no
814+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
815+ this field can be reset to its previous value (including nil) to cancel the modification.
817816 If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
818817 set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
819818 exists.
820819 More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
821- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
822820type : string
823821 volumeMode :
824822 description : |-
@@ -1000,12 +998,10 @@ spec:
1000998 description : |-
1001999 glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
10021000 Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
1003- More info: https://examples.k8s.io/volumes/glusterfs/README.md
10041001properties :
10051002 endpoints :
1006- description : |-
1007- endpoints is the endpoint name that details Glusterfs topology.
1008- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
1003+ description : endpoints is the endpoint name that details
1004+ Glusterfs topology.
10091005 type : string
10101006 path :
10111007 description : |-
@@ -1084,7 +1080,7 @@ spec:
10841080 description : |-
10851081 iscsi represents an ISCSI Disk resource that is attached to a
10861082 kubelet's host machine and then exposed to the pod.
1087- More info: https://examples.k8s. io/volumes/iscsi/README.md
1083+ More info: https://kubernetes. io/docs/concepts/storage/ volumes/# iscsi
10881084properties :
10891085 chapAuthDiscovery :
10901086 description : chapAuthDiscovery defines whether support iSCSI
@@ -1504,6 +1500,111 @@ spec:
15041500 type : array
15051501 x-kubernetes-list-type : atomic
15061502 type : object
1503+ podCertificate :
1504+ description : |-
1505+ Projects an auto-rotating credential bundle (private key and certificate
1506+ chain) that the pod can use either as a TLS client or server.
1507+
1508+ Kubelet generates a private key and uses it to send a
1509+ PodCertificateRequest to the named signer. Once the signer approves the
1510+ request and issues a certificate chain, Kubelet writes the key and
1511+ certificate chain to the pod filesystem. The pod does not start until
1512+ certificates have been issued for each podCertificate projected volume
1513+ source in its spec.
1514+
1515+ Kubelet will begin trying to rotate the certificate at the time indicated
1516+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
1517+ timestamp.
1518+
1519+ Kubelet can write a single file, indicated by the credentialBundlePath
1520+ field, or separate files, indicated by the keyPath and
1521+ certificateChainPath fields.
1522+
1523+ The credential bundle is a single file in PEM format. The first PEM
1524+ entry is the private key (in PKCS#8 format), and the remaining PEM
1525+ entries are the certificate chain issued by the signer (typically,
1526+ signers will return their certificate chain in leaf-to-root order).
1527+
1528+ Prefer using the credential bundle format, since your application code
1529+ can read it atomically. If you use keyPath and certificateChainPath,
1530+ your application must make two separate file reads. If these coincide
1531+ with a certificate rotation, it is possible that the private key and leaf
1532+ certificate you read may not correspond to each other. Your application
1533+ will need to check for this condition, and re-read until they are
1534+ consistent.
1535+
1536+ The named signer controls chooses the format of the certificate it
1537+ issues; consult the signer implementation's documentation to learn how to
1538+ use the certificates it issues.
1539+ properties :
1540+ certificateChainPath :
1541+ description : |-
1542+ Write the certificate chain at this path in the projected volume.
1543+
1544+ Most applications should use credentialBundlePath. When using keyPath
1545+ and certificateChainPath, your application needs to check that the key
1546+ and leaf certificate are consistent, because it is possible to read the
1547+ files mid-rotation.
1548+ type : string
1549+ credentialBundlePath :
1550+ description : |-
1551+ Write the credential bundle at this path in the projected volume.
1552+
1553+ The credential bundle is a single file that contains multiple PEM blocks.
1554+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
1555+ key.
1556+
1557+ The remaining blocks are CERTIFICATE blocks, containing the issued
1558+ certificate chain from the signer (leaf and any intermediates).
1559+
1560+ Using credentialBundlePath lets your Pod's application code make a single
1561+ atomic read that retrieves a consistent key and certificate chain. If you
1562+ project them to separate files, your application code will need to
1563+ additionally check that the leaf certificate was issued to the key.
1564+ type : string
1565+ keyPath :
1566+ description : |-
1567+ Write the key at this path in the projected volume.
1568+
1569+ Most applications should use credentialBundlePath. When using keyPath
1570+ and certificateChainPath, your application needs to check that the key
1571+ and leaf certificate are consistent, because it is possible to read the
1572+ files mid-rotation.
1573+ type : string
1574+ keyType :
1575+ description : |-
1576+ The type of keypair Kubelet will generate for the pod.
1577+
1578+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
1579+ "ECDSAP521", and "ED25519".
1580+ type : string
1581+ maxExpirationSeconds :
1582+ description : |-
1583+ maxExpirationSeconds is the maximum lifetime permitted for the
1584+ certificate.
1585+
1586+ Kubelet copies this value verbatim into the PodCertificateRequests it
1587+ generates for this projection.
1588+
1589+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
1590+ will reject values shorter than 3600 (1 hour). The maximum allowable
1591+ value is 7862400 (91 days).
1592+
1593+ The signer implementation is then free to issue a certificate with any
1594+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
1595+ seconds (1 hour). This constraint is enforced by kube-apiserver.
1596+ `kubernetes.io` signers will never issue certificates with a lifetime
1597+ longer than 24 hours.
1598+ format : int32
1599+ type : integer
1600+ signerName :
1601+ description : Kubelet's generated CSRs will be
1602+ addressed to this signer.
1603+ type : string
1604+ required :
1605+ - keyType
1606+ - signerName
1607+ type : object
15071608 secret :
15081609 description : secret information about the secret data
15091610 to project
@@ -1638,7 +1739,6 @@ spec:
16381739 description : |-
16391740 rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
16401741 Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
1641- More info: https://examples.k8s.io/volumes/rbd/README.md
16421742properties :
16431743 fsType :
16441744 description : |-
0 commit comments