-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quote grep
patterns in docs/rotate-secrets.md
#10656
Conversation
This should work more reliably independent of shell config.
Welcome @keithlayne! |
Hi @keithlayne. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Wow, thought I would validate the instructions there...and BOOM thought I had destroyed my whole cluster. Not an awesome experience. When in doubt, add moar |
Hey @keithlayne. Any conclusion? I see the PR is still set as draft. |
Yeah, sorry. Got distracted. I think this tiny change is potentially valuable since the carets in the greps lines made my shell unhappy. Let me try to give some feedback on my experience after that.
# Delete all service account tokens in all namespaces
NS=`kubectl get namespaces -o 'jsonpath={.items[*].metadata.name}'`
for i in ${NS}
do
kubectl get secrets --namespace=${i} --no-headers \
| grep "kubernetes.io/service-account-token" \
| awk '{print $1}' \
| xargs -I {} kubectl delete secret --namespace=$i {}
done
# Allow for new secrets to be created
sleep 60
# Bounce all pods to make use of the new service tokens
pkill -f kube-controller-manager
kubectl delete pods --all --all-namespaces It's really a simple one-liner, but much easier (for me) to see exacly what's going on when I don't have to scroll. As far as execution goes, that block it where it all went bad for me:
Then I had a rough time from there. I tried a whole bunch of manual interventions but my cluster was down for hours until I sucked it up and did another I don't know how much of any of this experience is peculiar to me, and it's not something I'm excited to try again real soon. @hakman If this is TMI, lemme know, i'll just leave this PR tiny. Otherwise if you could respond to my feedback and let me know what you would like to incorporate in this PR I'd appreciate it, and we can go from there. |
I experienced much of the same issues that @keithlayne describes above. Including having to run the rolling-update a second time because after the first none of the worker nodes even showed up in my cluster. Also depending on the version of |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
@keithlayne I believe this PR is good as-is, but first you would need to take it out of draft state. |
@johngmyers Was hoping for the other items in this comment might get more feedback and be addressed. But I will mark it ready. |
@keithlayne we are working on more direct support for rotating keys, targeting kops 1.22. #10516 and #11252 are early attempts. So this particular document might not be relevant for much longer. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This should work more reliably independent of shell config.