KEP-3721: Support for env files. #5384
Conversation
HirazawaUi
commented
Jun 6, 2025
HirazawaUi
commented
- One-line PR description: Support for env files.
- Issue link: Add FileEnvSource and FileKeySelector to add environment generated on the fly #3721
- Other comments: This PR replaces KEP-3721: Support for env files. #4524. The previous PR had too many commits, so I didn’t cherry-pick them. I copied and pasted the changes, while also refining some parts that were missed or left pending in the earlier PR.
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
kind/kep
If there are additions from the previous PR, it might be clearer to split the commit into two (one for the initial copy-paste and another for the subsequent updates) so that the diffs are easier to review. EDIT: Sorry, please ignore this comment as it's been a while since the previous review. It's probably better to review everything from scratch. |
| additional ConfigMap or Secret API calls. | ||
|
|
||
| 2. The user is using a container offered by a vendor that requires configurating | ||
| environment variables (for eg, license key, one-time secret tokens). They can |
There was a problem hiding this comment.
I didn't notice the secret token here in scenarios. We need to ensure the security is covered and we will neither write those values in logs nor set them in the Pod status and such
There was a problem hiding this comment.
I would prefer to leave it out of the motivation section for now, unless we can offer a reliable way to help users protect their sensitive information.
We will still support this use case, but we will clearly state in the documentation that it is not secure and recommend that users avoid using it.
WDYT?
| emptyDir: {} | ||
| ``` | ||
|
|
||
| #### Story 2 |
There was a problem hiding this comment.
Please add User Story 3: Static Pods cannot use secrets as they cannot refer API server objects. However Pod spec is widely available in logs and audit messages. Using init container that copies environment variables from disk, allows to hide those environment variables.
There was a problem hiding this comment.
I'm not adding it as a user story for now, for the same reason mentioned in my previous comment, to avoid giving users misleading guidance.
ref: #5384 (comment)
If we believe this use case is important, I’ll update the KEP to include it later.
There was a problem hiding this comment.
If you're considering static pods, please add it as a beta requirement to make the final decision if you want to support it or not. If you know you're not planning to support static pods, please make it explicit adding to Non-Goals.
There was a problem hiding this comment.
Static pods are an important use case for this feature (though, due to security concerns, we don’t want to document this in the user story). I expect static pods to be supported in the alpha phase. Are there any obstacles to this?
There was a problem hiding this comment.
Are there any obstacles to this?
That's perfectly fine, I just want to make sure this is clearly stated in the document one way or the other.
| // successfully created. | ||
| Key string `json:"key" protobuf:"bytes,3,opt,name=key"` | ||
| // Specify whether the file or its key must be defined. If the file or key | ||
| // does not exist, then the env var is not published. |
There was a problem hiding this comment.
what is the behavior otherwise? If optional == false and key does not present? Fail the container creation forever in the crash loop?
There was a problem hiding this comment.
If optional is set to false, we require the user to define the variable in the env file; otherwise, the kubelet will return an error when generating the container configuration. As a result, the container will not be created, and the error will be returned before creation.
There was a problem hiding this comment.
If this is optional and the file is not present or the key is not found, do we define the variable in the pod, with value "" or do we not define it at all? Spec it clearly and simply :)
There was a problem hiding this comment.
Taking a quick glance at the code, I observed that if a corresponding key doesn't exist in the ConfigMap and optional is set to true, the code will skip processing this env using continue. The env won't be set for the Pod. We will adhere to this existing behavior.
|
|
||
| 3. **Duplicate Names**: If an environment variable is defined multiple times in the file, the last occurrence takes precedence and overrides any previous values. | ||
|
|
||
| 4. **Size Limit**: To start with, the maximum allowed size for the env file will be 64KiB. Limits for key-value length will be added as a part of implementation after additional investigation. |
There was a problem hiding this comment.
please define some limits for key and values for the alpha here. Just come up with some values, we can adjust later
There was a problem hiding this comment.
Added limits for key and values for the alpha.
There was a problem hiding this comment.
How these limits apply to currently existing env vars? Do we have any?
There was a problem hiding this comment.
In this KEP, I added restrictions on environment variables that only apply to the environment variables provided by this feature, without affecting the existing environment variable logic (such as those sourced from ConfigMap or Secret).
These restrictions are limited to the alpha phase. When this feature gate progresses to the beta phase, we will relax the environment variable restrictions to align with those sourced from ConfigMap or Secret.
There was a problem hiding this comment.
I had some misunderstanding about this comment earlier. I've now added alpha-phase limitations for both keys and values as requested in the comment.
ref: #5384 (comment)
| |7. The container's UID does not have permission to read the env file. | Pod created | Container fails to start and erorr message is reported in the events.| | ||
|
|
||
|
|
||
| ### Test Plan |
There was a problem hiding this comment.
| ### Test Plan | |
| ### Security Considerations | |
| These environment variables may be used to store secrets. However the emptyDir will not | |
| provide the same protection as Secrets Objects when mounted. This risk will be documented, | |
| but no built-in protection will be offered. | |
| ### Test Plan |
There was a problem hiding this comment.
@HirazawaUi if you have idea how to secure this file better - please speak up.
There was a problem hiding this comment.
I believe a better approach is to state in the documentation that the current best practice is to avoid defining secrets in env files, unless we have a clear mechanism that allows users to explicitly declare these variables as secrets and enables us to provide some level of protection for them.
HirazawaUi
force-pushed
the
kep-3721
branch
2 times, most recently
from
c2dcff1 to
5dfc934
Compare
| fileKeyRef: | ||
| path: config.env | ||
| volumeName: config | ||
| key: CONFIG_VAR |
There was a problem hiding this comment.
Should the name here should default to the env-var's name if not specified? I suspect it will often be the same. I see that we do NOT do this for other sources, so may be not?
There was a problem hiding this comment.
It seems that way, but I'm not sure if it's worth the effort for us to do this.
Taking a quick glance at the code, it doesn't appear we've implemented similar behavior for valueFrom before.
If we tell users here that they can omit defining fileKeyRef.key, and we'll use the environment variable name they defined instead, I'm concerned it might introduce unnecessary cognitive overhead.
There was a problem hiding this comment.
I feel like it's a reasonable default but I won't make you be the pioneer.
| // successfully created. | ||
| Key string `json:"key" protobuf:"bytes,3,opt,name=key"` | ||
| // Specify whether the file or its key must be defined. If the file or key | ||
| // does not exist, then the env var is not published. |
There was a problem hiding this comment.
If this is optional and the file is not present or the key is not found, do we define the variable in the pod, with value "" or do we not define it at all? Spec it clearly and simply :)
|
@thockin All comments have been addressed. |
|
/approve for API - @SergeyKanzhelev are you owning it for node? |
k8s-ci-robot
added
the
lgtm
|
/cc @jpbetz For approval. |
| spec: | ||
| initContainers: | ||
| - name: setup-envfile | ||
| image: registry.k8s.io/busybox |
There was a problem hiding this comment.
note that this image is unpatched ...
There was a problem hiding this comment.
This isn't a strict example. I'm not sure what our requirements are for this. If a strict example is needed, I can replace it.
|
Done |
| ... | ||
| ``` | ||
|
|
||
| 2. **Variable Naming**: We will apply the same variable name [restrictions](https://github.com/kubernetes/kubernetes/blob/a7ca13ea29ba5b3c91fd293cdbaec8fb5b30cee2/pkg/apis/core/validation/validation.go#L2583-L2596) as other API-defined env vars, In the alpha phase, environment variable keys are restricted to ASCII characters matching the pattern `[-._a-zA-Z][-._a-zA-Z0-9]*`. This restriction will be relaxed in the beta phase. |
There was a problem hiding this comment.
I don't think that's completely correct, the relaxed env validation is related with the work happening in #4369. The fact that it's progressing to GA in 1.34 is orthogonal to this particular feature. So I'm not sure what kind of relaxed validation you're proposing here at beta?
There was a problem hiding this comment.
We will enforce strict environment variable name validation (the original restrictions) during the alpha phase.
During the beta phase, we will apply the relaxed environment variable name validation enabled by the RelaxedEnvironmentVariableValidation feature gate.
There was a problem hiding this comment.
RelaxedEnvironmentVariableValidation seemed was graduated. So we can start with less restricted version from the beginning. This will minimize changes between graduations
There was a problem hiding this comment.
Ah, understood. Upon closer review, I realized I misinterpreted the intent of comment #5384 (comment).
I incorrectly assumed that character restrictions for environment variable names/values were required during alpha. I've now reverted those changes.
I've implemented size limitations (not character rules) for environment variables specifically for the alpha phase.
|
|
||
| 2. **Variable Value**: Similarly, in the alpha phase, environment variable values are also limited to ASCII characters within the [-._a-zA-Z][-._a-zA-Z0-9]* range to prevent injection attacks caused by passing command control characters through environment variables. This restriction will also be lifted in the beta phase. | ||
|
|
||
| 3. **Duplicate Names**: If an environment variable is defined multiple times in the file, the last occurrence takes precedence and overrides any previous values. |
There was a problem hiding this comment.
👍 I've also checked our validation and I don't see a place where we verify duplicated env vars, it's semi-related to your proposal, but should we have one? What happens if I define the same env vars multiple times in pod spec, once it's from configmap, other from this file? Or am I missing something?
There was a problem hiding this comment.
In-file duplicates:
- If multiple environment variables with the same name are defined within a file, the later occurrence overrides the earlier one(s).
- We cannot add validation logic for duplicates within ConfigMaps/Secrets/files because our validation logic has no access to the actual environment variable data stored inside these objects.
duplicates in Pod.Spec:
- If a user defines duplicate environment variable keys in the Pod.Spec (e.g., one sourced from a ConfigMap and another from a file), the variable defined later in the list will override the one defined earlier. This occurs because the kubelet iterates over container.Env sequentially and assigns values in that order.
- I wouldn't mind adding validation logic to detect duplicate environment variable definitions in the Pod.Spec. However, this could potentially break existing workloads that unintentionally rely on this behavior. Perhaps we should instead emit a warning to notify users that if they define duplicates this way, later-defined environment variables will override earlier ones.
There was a problem hiding this comment.
- Perhaps we should instead emit a warning to notify users that if they define duplicates this way, later-defined environment variables will override earlier ones.
That could be potentially useful. And thank you for clarifying the order of env var loading.
|
|
||
| 3. **Duplicate Names**: If an environment variable is defined multiple times in the file, the last occurrence takes precedence and overrides any previous values. | ||
|
|
||
| 4. **Size Limit**: To start with, the maximum allowed size for the env file will be 64KiB. Limits for key-value length will be added as a part of implementation after additional investigation. |
There was a problem hiding this comment.
How these limits apply to currently existing env vars? Do we have any?
| emptyDir: {} | ||
| ``` | ||
|
|
||
| #### Story 2 |
There was a problem hiding this comment.
If you're considering static pods, please add it as a beta requirement to make the final decision if you want to support it or not. If you know you're not planning to support static pods, please make it explicit adding to Non-Goals.
k8s-ci-robot
removed
the
lgtm
|
@soltysh Thank you so much for your review. I've addressed/resolved all the comments. Could you please take another look? |
| emptyDir: {} | ||
| ``` | ||
|
|
||
| #### Story 2 |
There was a problem hiding this comment.
Are there any obstacles to this?
That's perfectly fine, I just want to make sure this is clearly stated in the document one way or the other.
|
|
||
| 2. **Variable Value**: Similarly, in the alpha phase, environment variable values are also limited to ASCII characters within the [-._a-zA-Z][-._a-zA-Z0-9]* range to prevent injection attacks caused by passing command control characters through environment variables. This restriction will also be lifted in the beta phase. | ||
|
|
||
| 3. **Duplicate Names**: If an environment variable is defined multiple times in the file, the last occurrence takes precedence and overrides any previous values. |
There was a problem hiding this comment.
- Perhaps we should instead emit a warning to notify users that if they define duplicates this way, later-defined environment variables will override earlier ones.
That could be potentially useful. And thank you for clarifying the order of env var loading.
|
|
||
| ###### Will enabling / using this feature result in increasing size or count of the existing API objects? | ||
|
|
||
| We have added the `fileKeyRef` data structure to `podSpec`, which will undoubtedly increase the size of the Pod API. The increase in size depends on the number of environment variables defined by the user, making it impossible to estimate the exact number of bytes added. However, this should not have a significant impact on the API. For many users, it merely involves migrating environment variables previously defined in `ConfigMap/Secret` to this new structure. |
There was a problem hiding this comment.
I'll let this go for alpha, but for beta this will need a proper estimation, like all the other features.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: HirazawaUi, mrunalp, SergeyKanzhelev, soltysh, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
This was previously tagged by Sergey and Mrunal, so /label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
k8s-ci-robot
added
the
lgtm
