Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mark "Immutable Secrets/ConfigMaps" KEP implementable #1397

Merged
merged 1 commit into from Dec 17, 2019
Merged

Mark "Immutable Secrets/ConfigMaps" KEP implementable #1397

merged 1 commit into from Dec 17, 2019

Conversation

wojtek-t
Copy link
Member

@wojtek-t wojtek-t commented Dec 7, 2019
edited

Also fill out:

  • test plan
  • graduation criteria
  • version skew strategy

Ref #1412

/assign @saad-ali

/cc @yujuhong @lavalamp @msau42 @thockin @derekwaynecarr @kubernetes/sig-storage-feature-requests

@k8s-ci-robot k8s-ci-robot added sig/storage Categorizes an issue or PR as relevant to SIG Storage. kind/feature Categorizes issue or PR as related to a new feature. labels Dec 7, 2019
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 7, 2019
@wojtek-t wojtek-t mentioned this pull request Dec 10, 2019
Merged
@wojtek-t
Copy link
Member Author

/hold
To address @derekwaynecarr comment from the original PR: #1369 (comment) first

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 10, 2019
@wojtek-t wojtek-t force-pushed the immutable_secrets_implementable branch from 4f471bf to 20553b9 Compare December 11, 2019 08:01
wojtek-t
wojtek-t commented Dec 11, 2019
View reviewed changes
keps/sig-storage/20191117-immutable-secrets-configmaps.md
introducing a deadlock if Finalizers are set) or to allow rotating
certificates used for encryption at rest. We will only reject requests
that are explicitly changing keys and/or values stored in Secrets and/or
ConfigMaps.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@derekwaynecarr - I rephrased this paragraph to make it explicit what we discussed yesterday during the SIG.
PTAL

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for clarification.

@wojtek-t
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 11, 2019
@wojtek-t
Copy link
Member Author

/assign @derekwaynecarr - since I would also like you to take a look

jingxu97
jingxu97 reviewed Dec 12, 2019
View reviewed changes
keps/sig-storage/20191117-immutable-secrets-configmaps.md
that are explicitly changing keys and/or values stored in Secrets and/or
ConfigMaps.

Based on the value of `Immutable` field Kubelet will or will not:
- start a watch (or periodic polling) of a given Secret/ConfigMap
- perform updates of files mounted to a Pod based on updates of
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be wrong, but is volume remount is triggered by pod update, not volume update? Does volume (secret) update will trigger pod update?
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/volumemanager/cache/actual_state_of_world.go#L69

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - we do update them periodically:
https://github.com/kubernetes/kubernetes/blob/cfdfd043a086eba12a673faf7a7dee89d28c82e3/pkg/volume/secret/secret.go#L85

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret volume (and configmap volume) is mounted read-only in the container, so users cannot update the volume contents.

The fact that the markremount function is in asw is wrong and it should be refactored eventually to dsw: kubernetes/kubernetes#77758

@wojtek-t
Copy link
Member Author

Adding "hold", because i would like to get feedback from both Saad and Derek (at least) before merging.
/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 13, 2019
@derekwaynecarr
Copy link
Member

/approve
/lgtm

thanks for clarification from SIG meeting.

will let Saad remove the hold.

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Dec 13, 2019
saad-ali
saad-ali approved these changes Dec 17, 2019
View reviewed changes
Copy link
Member

@saad-ali saad-ali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, saad-ali, wojtek-t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wojtek-t
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 17, 2019
@k8s-ci-robot k8s-ci-robot merged commit 377276d into kubernetes:master Dec 17, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Dec 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jingxu97 jingxu97 jingxu97 left review comments

@saad-ali saad-ali saad-ali approved these changes

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@lavalamp lavalamp Awaiting requested review from lavalamp

@msau42 msau42 Awaiting requested review from msau42

@thockin thockin Awaiting requested review from thockin

@yujuhong yujuhong Awaiting requested review from yujuhong

Assignees

@derekwaynecarr derekwaynecarr

@saad-ali saad-ali

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@wojtek-t @derekwaynecarr @k8s-ci-robot @saad-ali @jingxu97 @msau42