kubernetes-sigs · BlaineEXE · Oct 29, 2025
diff --git a/client/apis/objectstorage/v1alpha2/bucketaccess_types.go b/client/apis/objectstorage/v1alpha2/bucketaccess_types.go
@@ -167,17 +167,19 @@ type BucketClaimAccess struct {
 	AccessSecretName string `json:"accessSecretName"`
 }
 
-// AccessedBucket identifies a Bucket and corresponding access parameters.
+// AccessedBucket identifies a Bucket and correlates it to a BucketClaimAccess from the spec.
 type AccessedBucket struct {
 	// bucketName is the name of a Bucket the access should have permissions for.
 	// +required
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	BucketName string `json:"bucketName"`
 
-	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// bucketClaimName must match a BucketClaimAccess's BucketClaimName from the spec.
 	// +required
-	AccessMode BucketAccessMode `json:"accessMode"`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketClaimName string `json:"bucketClaimName"`
 }
 
 // +kubebuilder:object:root=true

diff --git a/client/apis/objectstorage/v1alpha2/definitions.go b/client/apis/objectstorage/v1alpha2/definitions.go
@@ -16,12 +16,36 @@ limitations under the License.
 
 package v1alpha2
 
+// Finalizers
 const (
 	// ProtectionFinalizer is applied to a COSI resource object to protect it from deletion while
 	// COSI processes deletion of the object's intermediate and backend resources.
 	ProtectionFinalizer = `objectstorage.k8s.io/protection`
 )
 
+// Annotations
+const (
+	// HasBucketAccessReferencesAnnotation : This annotation is applied by the COSI Controller to a
+	// BucketClaim when a BucketAccess that references the BucketClaim is created. The annotation
+	// remains for as long as any BucketAccess references the BucketClaim. Once all BucketAccesses
+	// that reference the BucketClaim are deleted, the annotation is removed.
+	HasBucketAccessReferencesAnnotation = `objectstorage.k8s.io/has-bucketaccess-references`
+
+	// SidecarCleanupFinishedAnnotation : This annotation is applied by a COSI Sidecar to a managed
+	// BucketAccess when the resources is being deleted. The Sidecar calls the Driver to perform
+	// backend deletion actions and then hands off final deletion cleanup to the COSI Controller
+	// by setting this annotation on the resource.
+	SidecarCleanupFinishedAnnotation = `objectstorage.k8s.io/sidecar-cleanup-finished`
+
+	// ControllerManagementOverrideAnnotation : This annotation can be applied to a resource by the
+	// COSI Controller in order to reclaim management of the resource temporarily when it would
+	// otherwise be managed by a COSI Sidecar. This is intended for scenarios where a bug in
+	// provisioning needs to be rectified by a newer version of the COSI Controller. Once the bug is
+	// resolved, the annotation should be removed to allow normal Sidecar handoff to occur.
+	ControllerManagementOverrideAnnotation = `objectstorage.k8s.io/controller-management-override`
+)
+
+// Sidecar RPC definitions
 const (
 	// RpcEndpointDefault is the default RPC endpoint unix socket location.
 	RpcEndpointDefault = "unix:///var/lib/cosi/cosi.sock"

diff --git a/client/config/crd/objectstorage.k8s.io_bucketaccesses.yaml b/client/config/crd/objectstorage.k8s.io_bucketaccesses.yaml
@@ -142,16 +142,14 @@ spec:
                   with per-Bucket access options. This field is populated by the COSI Controller based on the
                   referenced BucketClaims in the spec.
                 items:
-                  description: AccessedBucket identifies a Bucket and corresponding
-                    access parameters.
+                  description: AccessedBucket identifies a Bucket and correlates it
+                    to a BucketClaimAccess from the spec.
                   properties:
-                    accessMode:
-                      description: accessMode is the Read/Write access mode that the
-                        access should have for the bucket.
-                      enum:
-                      - ReadWrite
-                      - ReadOnly
-                      - WriteOnly
+                    bucketClaimName:
+                      description: bucketClaimName must match a BucketClaimAccess's
+                        BucketClaimName from the spec.
+                      maxLength: 253
+                      minLength: 1
                       type: string
                     bucketName:
                       description: bucketName is the name of a Bucket the access should
@@ -160,7 +158,7 @@ spec:
                       minLength: 1
                       type: string
                   required:
-                  - accessMode
+                  - bucketClaimName
                   - bucketName
                   type: object
                 type: array