@@ -607,6 +607,43 @@ spec:
607607 - fieldPath
608608 type : object
609609 x-kubernetes-map-type : atomic
610+ fileKeyRef :
611+ description : |-
612+ FileKeyRef selects a key of the env file.
613+ Requires the EnvFiles feature gate to be enabled.
614+ properties :
615+ key :
616+ description : |-
617+ The key within the env file. An invalid key will prevent the pod from starting.
618+ The keys defined within a source may consist of any printable ASCII characters except '='.
619+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
620+ type : string
621+ optional :
622+ default : false
623+ description : |-
624+ Specify whether the file or its key must be defined. If the file or key
625+ does not exist, then the env var is not published.
626+ If optional is set to true and the specified key does not exist,
627+ the environment variable will not be set in the Pod's containers.
628+
629+ If optional is set to false and the specified key does not exist,
630+ an error will be returned during Pod creation.
631+ type : boolean
632+ path :
633+ description : |-
634+ The path within the volume from which to select the file.
635+ Must be relative and may not contain the '..' path or start with '..'.
636+ type : string
637+ volumeName :
638+ description : The name of the volume mount containing
639+ the env file.
640+ type : string
641+ required :
642+ - key
643+ - path
644+ - volumeName
645+ type : object
646+ x-kubernetes-map-type : atomic
610647 resourceFieldRef :
611648 description : |-
612649 Selects a resource of the container: only resources limits and requests
@@ -1399,15 +1436,13 @@ spec:
13991436 volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
14001437 If specified, the CSI driver will create or update the volume with the attributes defined
14011438 in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
1402- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
1403- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
1404- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
1405- will be set by the persistentvolume controller if it exists.
1439+ it can be changed after the claim is created. An empty string or nil value indicates that no
1440+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
1441+ this field can be reset to its previous value (including nil) to cancel the modification.
14061442 If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
14071443 set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
14081444 exists.
14091445 More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
1410- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
14111446type : string
14121447 volumeMode :
14131448 description : |-
@@ -1589,12 +1624,10 @@ spec:
15891624 description : |-
15901625 glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
15911626 Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
1592- More info: https://examples.k8s.io/volumes/glusterfs/README.md
15931627properties :
15941628 endpoints :
1595- description : |-
1596- endpoints is the endpoint name that details Glusterfs topology.
1597- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
1629+ description : endpoints is the endpoint name that details
1630+ Glusterfs topology.
15981631 type : string
15991632 path :
16001633 description : |-
@@ -1673,7 +1706,7 @@ spec:
16731706 description : |-
16741707 iscsi represents an ISCSI Disk resource that is attached to a
16751708 kubelet's host machine and then exposed to the pod.
1676- More info: https://examples.k8s. io/volumes/iscsi/README.md
1709+ More info: https://kubernetes. io/docs/concepts/storage/ volumes/# iscsi
16771710properties :
16781711 chapAuthDiscovery :
16791712 description : chapAuthDiscovery defines whether support iSCSI
@@ -2093,6 +2126,111 @@ spec:
20932126 type : array
20942127 x-kubernetes-list-type : atomic
20952128 type : object
2129+ podCertificate :
2130+ description : |-
2131+ Projects an auto-rotating credential bundle (private key and certificate
2132+ chain) that the pod can use either as a TLS client or server.
2133+
2134+ Kubelet generates a private key and uses it to send a
2135+ PodCertificateRequest to the named signer. Once the signer approves the
2136+ request and issues a certificate chain, Kubelet writes the key and
2137+ certificate chain to the pod filesystem. The pod does not start until
2138+ certificates have been issued for each podCertificate projected volume
2139+ source in its spec.
2140+
2141+ Kubelet will begin trying to rotate the certificate at the time indicated
2142+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
2143+ timestamp.
2144+
2145+ Kubelet can write a single file, indicated by the credentialBundlePath
2146+ field, or separate files, indicated by the keyPath and
2147+ certificateChainPath fields.
2148+
2149+ The credential bundle is a single file in PEM format. The first PEM
2150+ entry is the private key (in PKCS#8 format), and the remaining PEM
2151+ entries are the certificate chain issued by the signer (typically,
2152+ signers will return their certificate chain in leaf-to-root order).
2153+
2154+ Prefer using the credential bundle format, since your application code
2155+ can read it atomically. If you use keyPath and certificateChainPath,
2156+ your application must make two separate file reads. If these coincide
2157+ with a certificate rotation, it is possible that the private key and leaf
2158+ certificate you read may not correspond to each other. Your application
2159+ will need to check for this condition, and re-read until they are
2160+ consistent.
2161+
2162+ The named signer controls chooses the format of the certificate it
2163+ issues; consult the signer implementation's documentation to learn how to
2164+ use the certificates it issues.
2165+ properties :
2166+ certificateChainPath :
2167+ description : |-
2168+ Write the certificate chain at this path in the projected volume.
2169+
2170+ Most applications should use credentialBundlePath. When using keyPath
2171+ and certificateChainPath, your application needs to check that the key
2172+ and leaf certificate are consistent, because it is possible to read the
2173+ files mid-rotation.
2174+ type : string
2175+ credentialBundlePath :
2176+ description : |-
2177+ Write the credential bundle at this path in the projected volume.
2178+
2179+ The credential bundle is a single file that contains multiple PEM blocks.
2180+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
2181+ key.
2182+
2183+ The remaining blocks are CERTIFICATE blocks, containing the issued
2184+ certificate chain from the signer (leaf and any intermediates).
2185+
2186+ Using credentialBundlePath lets your Pod's application code make a single
2187+ atomic read that retrieves a consistent key and certificate chain. If you
2188+ project them to separate files, your application code will need to
2189+ additionally check that the leaf certificate was issued to the key.
2190+ type : string
2191+ keyPath :
2192+ description : |-
2193+ Write the key at this path in the projected volume.
2194+
2195+ Most applications should use credentialBundlePath. When using keyPath
2196+ and certificateChainPath, your application needs to check that the key
2197+ and leaf certificate are consistent, because it is possible to read the
2198+ files mid-rotation.
2199+ type : string
2200+ keyType :
2201+ description : |-
2202+ The type of keypair Kubelet will generate for the pod.
2203+
2204+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
2205+ "ECDSAP521", and "ED25519".
2206+ type : string
2207+ maxExpirationSeconds :
2208+ description : |-
2209+ maxExpirationSeconds is the maximum lifetime permitted for the
2210+ certificate.
2211+
2212+ Kubelet copies this value verbatim into the PodCertificateRequests it
2213+ generates for this projection.
2214+
2215+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
2216+ will reject values shorter than 3600 (1 hour). The maximum allowable
2217+ value is 7862400 (91 days).
2218+
2219+ The signer implementation is then free to issue a certificate with any
2220+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
2221+ seconds (1 hour). This constraint is enforced by kube-apiserver.
2222+ `kubernetes.io` signers will never issue certificates with a lifetime
2223+ longer than 24 hours.
2224+ format : int32
2225+ type : integer
2226+ signerName :
2227+ description : Kubelet's generated CSRs will be
2228+ addressed to this signer.
2229+ type : string
2230+ required :
2231+ - keyType
2232+ - signerName
2233+ type : object
20962234 secret :
20972235 description : secret information about the secret data
20982236 to project
@@ -2227,7 +2365,6 @@ spec:
22272365 description : |-
22282366 rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
22292367 Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
2230- More info: https://examples.k8s.io/volumes/rbd/README.md
22312368properties :
22322369 fsType :
22332370 description : |-
0 commit comments