Documentation for "Immutable Secrets/ConfigMaps" feature #19297
Conversation
k8s-ci-robot
added
cncf-cla: yes
wojtek-t
force-pushed
the
immutable_secrets_docs
branch
from
ddb7248
to
7232727
Compare
k8s-ci-robot
added
size/S
|
Deploy preview for kubernetes-io-vnext-staging failed. Built with commit ddb7248 https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5e54d3903bf8960009a34189 |
|
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit 68c52ff https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5e6a445744df3600093e5d5b |
| {{< feature-state for_k8s_version="v1.18" state="alpha" >}} | ||
|
|
||
| For clusters that are extensively using secrets (having at least tens of thousands of unique | ||
| secret to pod mounts), we designed the `Immutable Secrets/ConfigMaps` feature. It allows you |
There was a problem hiding this comment.
Immutable Secrets/ConfigMaps
For highlighting, I'd use:
| secret to pod mounts), we designed the `Immutable Secrets/ConfigMaps` feature. It allows you | |
| Secret to Pod mounts), Kubernetes has an _Immutable Secrets & ConfigMaps_ feature. It allows you |
k8s-ci-robot
added
the
sig/apps
This isn't sig apps - it's sig/storage with combination of sig/node |
|
/sig node |
k8s-ci-robot
added
sig/node
|
/assign @saad-ali |
wojtek-t
force-pushed
the
immutable_secrets_docs
branch
2 times, most recently
from
834d2ad
to
1c22124
Compare
|
|
||
| To use it, you need to enable `ImmutableEmphemeralVolumes` | ||
| [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and then | ||
| mark your Secret/ConfigMap by setting it `Immutable` field to true, e.g.: |
There was a problem hiding this comment.
nits:
| mark your Secret/ConfigMap by setting it `Immutable` field to true, e.g.: | |
| mark your Secret/ConfigMap by setting its `Immutable` field to true; for example: |
| ``` | ||
|
|
||
| Once marked as immutable, it is NOT possible to revert this change nor to mutate the contents | ||
| of data field. You can only delete and recreate the secrete, but that will not be picked by |
There was a problem hiding this comment.
nit:
| of data field. You can only delete and recreate the secrete, but that will not be picked by | |
| of data field. You can only delete and recreate the Secret, but that will not be picked by |
Also, I'd put this in a {{< note >}} or {{< caution >}} block to highlight the gotcha about Pod replacement.
wojtek-t
force-pushed
the
immutable_secrets_docs
branch
from
1c22124
to
4495e3e
Compare
|
👋 Please rebase this PR on Feel free to /hold |
k8s-ci-robot
added
the
do-not-merge/hold
There was a problem hiding this comment.
@wojtek-t remember also update https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
I've spotted a few other details that I recommend addressing.
| For clusters that are extensively using secrets (having at least tens of thousands of unique | ||
| Secret to Pod mounts), Kubernetes has an _Immutable Secrets/ConfigMaps_ feature. It allows you | ||
| to mark individual Secrets/ConfigMaps as `Immutable`, which blocks any changes to their data | ||
| and in return: |
There was a problem hiding this comment.
Can I use an immutable Secret if I only have a few hundred Secrets in my cluster?
There was a problem hiding this comment.
Yes - but I don't see where the text suggests you can't.
There was a problem hiding this comment.
For clusters that are extensively using secrets (having at least tens of thousands of unique Secret to Pod mounts), Kubernetes has an Immutable Secrets/ConfigMaps feature.
This could read like a requirement.
There was a problem hiding this comment.
What do you suggest? [I don't read it as a requirement]
|
|
||
| To use it, you need to enable `ImmutableEmphemeralVolumes` | ||
| [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and then | ||
| mark your Secret/ConfigMap by setting its `Immutable` field to true, e.g.: |
There was a problem hiding this comment.
nit:
| mark your Secret/ConfigMap by setting its `Immutable` field to true, e.g.: | |
| mark your Secret or ConfigMap, by setting its `immutable` field to `true`; | |
| for example: |
k8s-ci-robot
added
the
lgtm
|
@kbhawkey - can you please take another pass (since we already have a technical lgtm now). |
|
👀 |
| @@ -105,6 +105,7 @@ different Kubernetes components. | |||
| | `HPAScaleToZero` | `false` | Alpha | 1.16 | | | |||
| | `HugePageStorageMediumSize` | `false` | Alpha | 1.18 | | | |||
| | `HyperVContainer` | `false` | Alpha | 1.10 | | | |||
| | `ImmutableEphemeralVolumes` | `false` | Alpha | 1.18 | | | |||
There was a problem hiding this comment.
@wojtek-t , If time, you probably want to add a brief description about this feature.
See the feature-gates section on this page, https://deploy-preview-19297--kubernetes-io-vnext-staging.netlify.com/docs/reference/command-line-tools-reference/feature-gates/#feature-gates
| @@ -676,6 +676,35 @@ A container using a Secret as a | |||
| Secret updates. | |||
| {{< /note >}} | |||
|
|
|||
| {{< feature-state for_k8s_version="v1.18" state="alpha" >}} | |||
There was a problem hiding this comment.
@wojtek-t , Here are some suggestions.
Could you create a sub-heading to introduce this section?
Right now this content is under Using Secrets and mounted-secrets-are-updated-automatically.
Not sure if this makes sense?
#### Immutable Secrets and ConfigMaps
Possible edit to introduce feature:
The Kubernetes alpha feature Immutable Secrets and ConfigMaps provides an option to set individual Secrets and ConfigMaps as immutable. For clusters that extensively use Secrets (at least tens of thousands of unique Secret to Pod mounts), preventing changes to this data has the following advantages:
There was a problem hiding this comment.
I actually think that having it exactly in this section (mounted-secrets-are-updated-automatically) is exactly where it should be, because those secrets immutable secrets are the ones that won't be updated.
That said, I like the suggestion you have to introduce the feature - changing.
| and in return: | ||
| - protects you from accidental (or unwanted) updates that could cause applications outages | ||
| - improves performance of your cluster by significantly reducing load on kube-apiserver, by | ||
| closing watches for secrets marked as immutable. |
There was a problem hiding this comment.
nit, Line 686, closing watches?
- improves performance of your cluster by significantly reducing load on the kube-apiserver and closing watches for secrets marked as immutable.
There was a problem hiding this comment.
I think that "by" is better - because the performance is improved by the fact that we're closing those watches.
| - improves performance of your cluster by significantly reducing load on kube-apiserver, by | ||
| closing watches for secrets marked as immutable. | ||
|
|
||
| To use it, you need to enable `ImmutableEmphemeralVolumes` |
There was a problem hiding this comment.
Possible edit, something like:
To use this feature, enable the ImmutableEmphemeralVolumes feature gate
and set your Secret or ConfigMap immutable field to true. For example:
|
|
||
| {{< note >}} | ||
| Once marked as immutable, it is NOT possible to revert this change nor to mutate the contents | ||
| of data field. You can only delete and recreate the Secret, but that will not be picked by |
There was a problem hiding this comment.
Possible edit, pick and choose what makes sense:
Once a Secret is marked as immutable, it is not possible to revert this change nor to mutate the contents of the data field. You can only delete and recreate the Secret. Existing Pods maintain a mount point to the deleted Secret. It is recommended to recreate these Pods.
wojtek-t
force-pushed
the
immutable_secrets_docs
branch
from
b47e2a3
to
0b370eb
Compare
k8s-ci-robot
removed
the
lgtm
| @@ -676,6 +676,35 @@ A container using a Secret as a | |||
| Secret updates. | |||
| {{< /note >}} | |||
|
|
|||
| {{< feature-state for_k8s_version="v1.18" state="alpha" >}} | |||
There was a problem hiding this comment.
I actually think that having it exactly in this section (mounted-secrets-are-updated-automatically) is exactly where it should be, because those secrets immutable secrets are the ones that won't be updated.
That said, I like the suggestion you have to introduce the feature - changing.
| - improves performance of your cluster by significantly reducing load on kube-apiserver, by | ||
| closing watches for secrets marked as immutable. | ||
|
|
||
| To use it, you need to enable `ImmutableEmphemeralVolumes` |
| and in return: | ||
| - protects you from accidental (or unwanted) updates that could cause applications outages | ||
| - improves performance of your cluster by significantly reducing load on kube-apiserver, by | ||
| closing watches for secrets marked as immutable. |
There was a problem hiding this comment.
I think that "by" is better - because the performance is improved by the fact that we're closing those watches.
|
|
||
| {{< note >}} | ||
| Once marked as immutable, it is NOT possible to revert this change nor to mutate the contents | ||
| of data field. You can only delete and recreate the Secret, but that will not be picked by |
| @@ -105,6 +105,7 @@ different Kubernetes components. | |||
| | `HPAScaleToZero` | `false` | Alpha | 1.16 | | | |||
| | `HugePageStorageMediumSize` | `false` | Alpha | 1.18 | | | |||
| | `HyperVContainer` | `false` | Alpha | 1.10 | | | |||
| | `ImmutableEphemeralVolumes` | `false` | Alpha | 1.18 | | | |||
| individual Secrets and ConfigMaps as immutable. For clusters that extensively use Secrets | ||
| (at least tens of thousands of unique Secret to Pod mounts), preventing changes to their | ||
| data has the following advantages: | ||
| - protects you from accidental (or unwanted) updates that could cause applications outages |
There was a problem hiding this comment.
@wojtek-t , Changes look good. One issue:
Add a newline at line 685 before the first list item (the list is not rendering)
Thanks!
wojtek-t
force-pushed
the
immutable_secrets_docs
branch
from
0b370eb
to
68c52ff
Compare
|
@kbhawkey - done (hopefully will work this time) |
|
/lgtm @VineethReddy02 , Is the |
k8s-ci-robot
added
the
lgtm
|
@kbhawkey yes! If the technical reviews are done, we can merge this into dev-1.18 |
|
👍 |
|
@kbhawkey - can you approve it then? |
|
@wojtek-t , I assume from the changes that you have rebased this pull request a number of times (there was a mixup with the dev-1.18 branch early in the release). If so, @VineethReddy02, I am happy to approve this pull request or if you agree, you can as well. |
Yeah - I think it's ready. I would feel better if you could approve it. |
|
Based on #19297 (comment) and #19297 (comment) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saad-ali, sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Thanks! |
Ref kubernetes/enhancements#1412
/assign @cheftako