New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mark "Immutable Secrets/ConfigMaps" KEP implementable #1397
Mark "Immutable Secrets/ConfigMaps" KEP implementable #1397
Conversation
/hold |
4f471bf
to
20553b9
Compare
introducing a deadlock if Finalizers are set) or to allow rotating | ||
certificates used for encryption at rest. We will only reject requests | ||
that are explicitly changing keys and/or values stored in Secrets and/or | ||
ConfigMaps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@derekwaynecarr - I rephrased this paragraph to make it explicit what we discussed yesterday during the SIG.
PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for clarification.
/hold cancel |
/assign @derekwaynecarr - since I would also like you to take a look |
that are explicitly changing keys and/or values stored in Secrets and/or | ||
ConfigMaps. | ||
|
||
Based on the value of `Immutable` field Kubelet will or will not: | ||
- start a watch (or periodic polling) of a given Secret/ConfigMap | ||
- perform updates of files mounted to a Pod based on updates of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be wrong, but is volume remount is triggered by pod update, not volume update? Does volume (secret) update will trigger pod update?
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/volumemanager/cache/actual_state_of_world.go#L69
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - we do update them periodically:
https://github.com/kubernetes/kubernetes/blob/cfdfd043a086eba12a673faf7a7dee89d28c82e3/pkg/volume/secret/secret.go#L85
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Secret volume (and configmap volume) is mounted read-only in the container, so users cannot update the volume contents.
The fact that the markremount function is in asw is wrong and it should be refactored eventually to dsw: kubernetes/kubernetes#77758
Adding "hold", because i would like to get feedback from both Saad and Derek (at least) before merging. |
/approve thanks for clarification from SIG meeting. will let Saad remove the hold. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr, saad-ali, wojtek-t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Also fill out:
Ref #1412
/assign @saad-ali
/cc @yujuhong @lavalamp @msau42 @thockin @derekwaynecarr @kubernetes/sig-storage-feature-requests