New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add secret protection #101131
Add secret protection #101131
Conversation
@mkimuram: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This initial implementation works for below three cases:
We might need to discuss further on what other cases should be covered in issue/KEP, first. However, I'm sharing this working codes to make discussion easier. [Unused case]
[Used by pod case]
[Used by CSI PV case]
|
It is interesting to see |
cc5b1c3
to
e73b39d
Compare
/remove-sig api-machinery |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mkimuram The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
If I have an immutable Secret and need to rotate this secret (eg because it has leaked), I think that it's important that I can force removal even if the Secret is in use. |
ee00baa
to
bb6854f
Compare
@mkimuram: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I think this deserves a KEP, with all use cases outlined and discussed on higher level than code. |
/remove-sig api-machinery |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten This feature won't be implemented in-tree, but will be implemented as an external controller. However, keeping this open to mark that I'm still working on. |
@mkimuram: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
Is this PR still needed, please rebase if so (or we can close it?) |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
This PR adds secret-protection for protecting secret from deletion while it is in-use.
/kind feature
What this PR does / why we need it:
In the current k8s implementation, secret can be deleted while it is still used by other resources.
This will cause such issues that volume is failed to delete because secret needed for delete the volume is deleted before volume deletion.
Which issue(s) this PR fixes:
Fixes #101130
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: