From 7fee4de41d5807a04dff1d908b02353aa0f0c83b Mon Sep 17 00:00:00 2001 From: Eric Tune Date: Thu, 28 May 2015 17:21:32 -0700 Subject: [PATCH] Explain that file-based pods cannot use secrets. --- docs/design/secrets.md | 6 +++++- docs/secrets.md | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/design/secrets.md b/docs/design/secrets.md index 5f8cb50184..cbf93ee2b8 100644 --- a/docs/design/secrets.md +++ b/docs/design/secrets.md @@ -1,4 +1,3 @@ -# Secret Distribution ## Abstract @@ -184,6 +183,11 @@ For now, we will not implement validations around these limits. Cluster operato much node storage is allocated to secrets. It will be the operator's responsibility to ensure that the allocated storage is sufficient for the workload scheduled onto a node. +For now, kubelets will only attach secrets to api-sourced pods, and not file- or http-sourced +ones. Doing so would: + - confuse the secrets admission controller in the case of mirror pods. + - create an apiserver-liveness dependency -- avoiding this dependency is a main reason to use non-api-source pods. + ### Use-Case: Kubelet read of secrets for node The use-case where the kubelet reads secrets has several additional requirements: diff --git a/docs/secrets.md b/docs/secrets.md index 019e9350f3..1c4d1377d0 100644 --- a/docs/secrets.md +++ b/docs/secrets.md @@ -73,6 +73,12 @@ of very large secrets which would exhaust apiserver and kubelet memory. However, creation of many smaller secrets could also exhaust memory. More comprehensive limits on memory usage due to secrets is a planned feature. +Kubelet only supports use of secrets for Pods it gets from the API server. +This includes any pods created using kubectl, or indirectly via a replication +controller. It does not include pods created via the kubelets +`--manifest-url` flag, its `--config` flag, or its REST API (these are +not common ways to create pods.) + ### Consuming Secret Values The program in a container is responsible for reading the secret(s) from the