Define ClusterTrustBundlePEM projected volume

This commit defines the ClusterTrustBundlePEM projected volume types. These types have been renamed from the KEP (PEMTrustAnchors) in order to leave open the possibility of a similar projection drawing from a yet-to-exist namespaced-scoped TrustBundle object, which came up during KEP discussion. * Add the projection field to internal and v1 APIs. * Add validation to ensure that usages of the project must specify a name and path. * Add TODO covering admission control to forbid mirror pods from using the projection. Part of KEP-3257.
2025-11-02 19:28:16 +00:00 · 2022-10-21 19:50:01 -07:00
parent 0fd1362782
commit ecfdc8fda5
9 changed files with 523 additions and 114 deletions
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -549,6 +549,7 @@ func dropDisabledFields(
 	dropDisabledMatchLabelKeysFieldInTopologySpread(podSpec, oldPodSpec)
 	dropDisabledMatchLabelKeysFieldInPodAffinity(podSpec, oldPodSpec)
 	dropDisabledDynamicResourceAllocationFields(podSpec, oldPodSpec)
+	dropDisabledClusterTrustBundleProjection(podSpec, oldPodSpec)

 	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) && !inPlacePodVerticalScalingInUse(oldPodSpec) {
 		// Drop ResizePolicy fields. Don't drop updates to Resources field as template.spec.resources
@@ -969,6 +970,53 @@ func restartableInitContainersInUse(podSpec *api.PodSpec) bool {
 	return inUse
 }

+func clusterTrustBundleProjectionInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+	for _, v := range podSpec.Volumes {
+		if v.Projected == nil {
+			continue
+		}
+
+		for _, s := range v.Projected.Sources {
+			if s.ClusterTrustBundle != nil {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+func dropDisabledClusterTrustBundleProjection(podSpec, oldPodSpec *api.PodSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundleProjection) {
+		return
+	}
+	if podSpec == nil {
+		return
+	}
+
+	// If the pod was already using it, it can keep using it.
+	if clusterTrustBundleProjectionInUse(oldPodSpec) {
+		return
+	}
+
+	for _, v := range podSpec.Volumes {
+		if v.Projected == nil {
+			continue
+		}
+
+		filteredSources := []api.VolumeProjection{}
+		for _, s := range v.Projected.Sources {
+			if s.ClusterTrustBundle == nil {
+				filteredSources = append(filteredSources, s)
+			}
+		}
+		v.Projected.Sources = filteredSources
+	}
+}
+
 func hasInvalidLabelValueInAffinitySelector(spec *api.PodSpec) bool {
 	if spec.Affinity != nil {
 		if spec.Affinity.PodAffinity != nil {