@@ -79,29 +79,29 @@ uncharming traits:
79
79
type CSIDriverSpec struct {
80
80
... // existing fields
81
81
82
- RequiresRemount *bool
83
- ServiceAccountTokens []ServiceAccountToken
82
+ RequiresRepublish *bool
83
+ TokenRequests []TokenRequest
84
84
}
85
85
86
- // ServiceAccountToken contains parameters of a token.
87
- type ServiceAccountToken struct {
88
- Audience * string
86
+ // TokenRequest contains parameters of a token.
87
+ type TokenRequest struct {
88
+ Audience string
89
89
ExpirationSeconds *int64
90
90
}
91
91
```
92
92
93
93
These three fields are all optional:
94
94
95
- - ** ` ServiceAccountToken .Audience` ** : will be set in ` TokenRequestSpec ` . This
95
+ - ** ` TokenRequest .Audience` ** : will be set in ` TokenRequestSpec ` . This
96
96
- will default to ` APIAudiences ` of kube-apiserver if it is empty. The storage
97
97
provider of the CSI driver is supposed to send a ` TokenReview ` with at least
98
98
one of the audiences specified.
99
99
100
- - ** ` ServiceAccountToken .ExpirationSeconds` ** : will be set in
100
+ - ** ` TokenRequest .ExpirationSeconds` ** : will be set in
101
101
` TokenRequestSpec ` . The issued token may have a different duration, so the
102
102
` ExpirationTimestamp ` in ` TokenRequestStatus ` will be passed to CSI driver.
103
103
104
- - ** ` RequiresRemount ` ** : should be only set when the mounted volumes by the
104
+ - ** ` RequiresRepublish ` ** : should be only set when the mounted volumes by the
105
105
CSI driver have TTL and require re-validation on the token.
106
106
107
107
- ** Note** : Remount means re-execution of ` NodePublishVolume ` in scope of
@@ -129,8 +129,8 @@ and will be set in `VolumeContext`:
129
129
130
130
Take the Vault provider for secret store CSI driver as an example:
131
131
132
- 1 . Create ` CSIDriver ` object with ` ServiceAccountToken [0].Audience=['vault']`
133
- and ` RequiresRemount =true` .
132
+ 1 . Create ` CSIDriver ` object with ` TokenRequests [0].Audience=['vault']`
133
+ and ` RequiresRepublish =true` .
134
134
2 . When the volume manager of kubelet sees a new volume, the pod object in
135
135
` mountedPods ` will have ` requiresRemound=true ` after ` MarkRemountRequired `
136
136
is called. ` MarkRemountRequired ` will call into ` RequiresRemount ` of the
@@ -143,7 +143,7 @@ Take the Vault provider for secret store CSI driver as an example:
143
143
144
144
### Notes/Constraints/Caveats
145
145
146
- The ` RequiresRemount ` is useful when the mounted volumes can expire and the
146
+ The ` RequiresRepublish ` is useful when the mounted volumes can expire and the
147
147
availability and validity of volumes are continuously required. Those volumes
148
148
are most likely credentials which rotates for the best security practice. There
149
149
are two options when the remount failed:
@@ -220,8 +220,8 @@ Option 1 is adopted. See discussion
220
220
- ** Will enabling / using this feature result in any new API calls?**
221
221
222
222
- API call type: ` TokenRequest `
223
- - estimated throughput: 1(` RequiresRemount =false` ) or
224
- 1/ExpirationSeconds/s(` RequiresRemount =true` ) for each CSI driver using
223
+ - estimated throughput: 1(` RequiresRepublish =false` ) or
224
+ 1/ExpirationSeconds/s(` RequiresRepublish =true` ) for each CSI driver using
225
225
this feature.
226
226
- originating component: kubelet
227
227
- components listing and/or watching resources they didn't before: n/a.
0 commit comments