diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index d74ec08a5a3..3e7bd5bd6cf 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -19596,7 +19596,7 @@ "type": "boolean" }, "preventPodSchedulingIfMissing": { - "description": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing. This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", + "description": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing.\n\nEnabling this option will prevent the scheduler (or any other component which embeds default scheduler such as cluster-autoscaler) from scheduling pods to nodes where CSI driver is not installed.\n\nFor components(such as cluster-autoscaler) that embed the scheduler and run pod placement simulations using scheduler plugins, they MUST be aware of CSI driver registration information via CSINode object. They must create simulated CSINode objects in addition to Node objects during scheduling simulation, otherwise if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any newly created node may be rejected by the scheduler because of missing CSI driver information from the node.\n\nThis is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", "type": "boolean" }, "requiresRepublish": { diff --git a/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json index 4782db32d27..2345a07a257 100644 --- a/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json +++ b/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json @@ -1304,7 +1304,7 @@ "type": "boolean" }, "preventPodSchedulingIfMissing": { - "description": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing. This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", + "description": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing.\n\nEnabling this option will prevent the scheduler (or any other component which embeds default scheduler such as cluster-autoscaler) from scheduling pods to nodes where CSI driver is not installed.\n\nFor components(such as cluster-autoscaler) that embed the scheduler and run pod placement simulations using scheduler plugins, they MUST be aware of CSI driver registration information via CSINode object. They must create simulated CSINode objects in addition to Node objects during scheduling simulation, otherwise if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any newly created node may be rejected by the scheduler because of missing CSI driver information from the node.\n\nThis is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", "type": "boolean" }, "requiresRepublish": { diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 54b75f3ebc7..28c32848d4b 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -54418,7 +54418,7 @@ func schema_k8sio_api_storage_v1_CSIDriverSpec(ref common.ReferenceCallback) com }, "preventPodSchedulingIfMissing": { SchemaProps: spec.SchemaProps{ - Description: "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing. This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", + Description: "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing.\n\nEnabling this option will prevent the scheduler (or any other component which embeds default scheduler such as cluster-autoscaler) from scheduling pods to nodes where CSI driver is not installed.\n\nFor components(such as cluster-autoscaler) that embed the scheduler and run pod placement simulations using scheduler plugins, they MUST be aware of CSI driver registration information via CSINode object. They must create simulated CSINode objects in addition to Node objects during scheduling simulation, otherwise if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any newly created node may be rejected by the scheduler because of missing CSI driver information from the node.\n\nThis is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", Type: []string{"boolean"}, Format: "", }, @@ -56010,7 +56010,7 @@ func schema_k8sio_api_storage_v1beta1_CSIDriverSpec(ref common.ReferenceCallback }, "preventPodSchedulingIfMissing": { SchemaProps: spec.SchemaProps{ - Description: "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing. This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", + Description: "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing.\n\nEnabling this option will prevent the scheduler (or any other component which embeds default scheduler such as cluster-autoscaler) from scheduling pods to nodes where CSI driver is not installed.\n\nFor components(such as cluster-autoscaler) that embed the scheduler and run pod placement simulations using scheduler plugins, they MUST be aware of CSI driver registration information via CSINode object. They must create simulated CSINode objects in addition to Node objects during scheduling simulation, otherwise if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any newly created node may be rejected by the scheduler because of missing CSI driver information from the node.\n\nThis is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", Type: []string{"boolean"}, Format: "", }, diff --git a/staging/src/k8s.io/api/storage/v1/generated.proto b/staging/src/k8s.io/api/storage/v1/generated.proto index ee5e6ccc18c..d6bc969bb3a 100644 --- a/staging/src/k8s.io/api/storage/v1/generated.proto +++ b/staging/src/k8s.io/api/storage/v1/generated.proto @@ -250,8 +250,21 @@ message CSIDriverSpec { // +optional optional bool serviceAccountTokenInSecrets = 10; - // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver - // on the node is missing. + // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod + // scheduling if the CSI driver on the node is missing. + // + // Enabling this option will prevent the scheduler (or any other + // component which embeds default scheduler such as cluster-autoscaler) from + // scheduling pods to nodes where CSI driver is not installed. + // + // For components(such as cluster-autoscaler) that embed the scheduler and run + // pod placement simulations using scheduler plugins, they MUST be aware of + // CSI driver registration information via CSINode object. They must create simulated + // CSINode objects in addition to Node objects during scheduling simulation, otherwise + // if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any + // newly created node may be rejected by the scheduler because of missing CSI driver + // information from the node. + // // This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. // Default is "false". // +featureGate=VolumeLimitScaling diff --git a/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go index 8b515e3e247..47a7e92492e 100644 --- a/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go @@ -59,7 +59,7 @@ var map_CSIDriverSpec = map[string]string{ "seLinuxMount": "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".", "nodeAllocatableUpdatePeriodSeconds": "nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of the CSINode allocatable capacity for this driver. When set, both periodic updates and updates triggered by capacity-related failures are enabled. If not set, no updates occur (neither periodic nor upon detecting capacity-related failures), and the allocatable.count remains static. The minimum allowed value for this field is 10 seconds.\n\nThis feature requires the MutableCSINodeAllocatableCount feature gate to be enabled.\n\nThis field is mutable.", "serviceAccountTokenInSecrets": "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.", - "preventPodSchedulingIfMissing": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing. This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", + "preventPodSchedulingIfMissing": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing.\n\nEnabling this option will prevent the scheduler (or any other component which embeds default scheduler such as cluster-autoscaler) from scheduling pods to nodes where CSI driver is not installed.\n\nFor components(such as cluster-autoscaler) that embed the scheduler and run pod placement simulations using scheduler plugins, they MUST be aware of CSI driver registration information via CSINode object. They must create simulated CSINode objects in addition to Node objects during scheduling simulation, otherwise if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any newly created node may be rejected by the scheduler because of missing CSI driver information from the node.\n\nThis is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", } func (CSIDriverSpec) SwaggerDoc() map[string]string { diff --git a/staging/src/k8s.io/api/storage/v1beta1/generated.proto b/staging/src/k8s.io/api/storage/v1beta1/generated.proto index a3e1fa4f2bb..3cae755fb4f 100644 --- a/staging/src/k8s.io/api/storage/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/storage/v1beta1/generated.proto @@ -252,8 +252,21 @@ message CSIDriverSpec { // +optional optional bool serviceAccountTokenInSecrets = 10; - // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver - // on the node is missing. + // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod + // scheduling if the CSI driver on the node is missing. + // + // Enabling this option will prevent the scheduler (or any other + // component which embeds default scheduler such as cluster-autoscaler) from + // scheduling pods to nodes where CSI driver is not installed. + // + // For components(such as cluster-autoscaler) that embed the scheduler and run + // pod placement simulations using scheduler plugins, they MUST be aware of + // CSI driver registration information via CSINode object. They must create simulated + // CSINode objects in addition to Node objects during scheduling simulation, otherwise + // if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any + // newly created node may be rejected by the scheduler because of missing CSI driver + // information from the node. + // // This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. // Default is "false". // +featureGate=VolumeLimitScaling diff --git a/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go index 3f19f411c5d..80b68839b4e 100644 --- a/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go @@ -59,7 +59,7 @@ var map_CSIDriverSpec = map[string]string{ "seLinuxMount": "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".", "nodeAllocatableUpdatePeriodSeconds": "nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of the CSINode allocatable capacity for this driver. When set, both periodic updates and updates triggered by capacity-related failures are enabled. If not set, no updates occur (neither periodic nor upon detecting capacity-related failures), and the allocatable.count remains static. The minimum allowed value for this field is 10 seconds.\n\nThis is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.\n\nThis field is mutable.", "serviceAccountTokenInSecrets": "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.", - "preventPodSchedulingIfMissing": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing. This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", + "preventPodSchedulingIfMissing": "PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver on the node is missing.\n\nEnabling this option will prevent the scheduler (or any other component which embeds default scheduler such as cluster-autoscaler) from scheduling pods to nodes where CSI driver is not installed.\n\nFor components(such as cluster-autoscaler) that embed the scheduler and run pod placement simulations using scheduler plugins, they MUST be aware of CSI driver registration information via CSINode object. They must create simulated CSINode objects in addition to Node objects during scheduling simulation, otherwise if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any newly created node may be rejected by the scheduler because of missing CSI driver information from the node.\n\nThis is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. Default is \"false\".", } func (CSIDriverSpec) SwaggerDoc() map[string]string { diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go index c68dbc21748..4a715c141b8 100644 --- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go +++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go @@ -178,8 +178,21 @@ type CSIDriverSpecApplyConfiguration struct { // // Default behavior if unset is to pass tokens in the VolumeContext field. ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"` - // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver - // on the node is missing. + // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod + // scheduling if the CSI driver on the node is missing. + // + // Enabling this option will prevent the scheduler (or any other + // component which embeds default scheduler such as cluster-autoscaler) from + // scheduling pods to nodes where CSI driver is not installed. + // + // For components(such as cluster-autoscaler) that embed the scheduler and run + // pod placement simulations using scheduler plugins, they MUST be aware of + // CSI driver registration information via CSINode object. They must create simulated + // CSINode objects in addition to Node objects during scheduling simulation, otherwise + // if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any + // newly created node may be rejected by the scheduler because of missing CSI driver + // information from the node. + // // This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. // Default is "false". PreventPodSchedulingIfMissing *bool `json:"preventPodSchedulingIfMissing,omitempty"` diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go index a81b868deda..cec76d9fd82 100644 --- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go +++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go @@ -178,8 +178,21 @@ type CSIDriverSpecApplyConfiguration struct { // // Default behavior if unset is to pass tokens in the VolumeContext field. ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"` - // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod scheduling if the CSI driver - // on the node is missing. + // PreventPodSchedulingIfMissing indicates that the CSI driver wants to prevent pod + // scheduling if the CSI driver on the node is missing. + // + // Enabling this option will prevent the scheduler (or any other + // component which embeds default scheduler such as cluster-autoscaler) from + // scheduling pods to nodes where CSI driver is not installed. + // + // For components(such as cluster-autoscaler) that embed the scheduler and run + // pod placement simulations using scheduler plugins, they MUST be aware of + // CSI driver registration information via CSINode object. They must create simulated + // CSINode objects in addition to Node objects during scheduling simulation, otherwise + // if PreventPodSchedulingIfMissing is enabled globally for CSIDriver object, any + // newly created node may be rejected by the scheduler because of missing CSI driver + // information from the node. + // // This is an alpha feature and requires the VolumeLimitScaling feature gate to be enabled. // Default is "false". PreventPodSchedulingIfMissing *bool `json:"preventPodSchedulingIfMissing,omitempty"`