Revise wording for Secret concept #27716
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
sig/storage
k8s-ci-robot
added
sig/docs
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: 7a8389c 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/60fb6bcaac11490008f24e2c 😎 Browse the preview: https://deploy-preview-27716--kubernetes-io-main-staging.netlify.app |
| @@ -31,7 +35,10 @@ access, or anyone with access to Kubernetes' underlying data store, etcd. In | |||
| order to safely use Secrets, it is recommended you (at a minimum): | |||
|
|
|||
| 1. [Enable Encryption at Rest](/docs/tasks/administer-cluster/encrypt-data/) for Secrets. | |||
| 2. [Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that restrict reading and writing the Secret. Be aware that secrets can be obtained implicitly by anyone with the permission to create a Pod. | |||
| 2. [Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that | |||
| restrict reading and writing the Secret. Be aware that secrets can be obtained | |||
There was a problem hiding this comment.
restrict reading from and writing to the Secret.
| 2. [Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that restrict reading and writing the Secret. Be aware that secrets can be obtained implicitly by anyone with the permission to create a Pod. | ||
| 2. [Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that | ||
| restrict reading and writing the Secret. Be aware that secrets can be obtained | ||
| implicitly by anyone with the permission to create a Pod. |
There was a problem hiding this comment.
- Be aware that Secrets can be obtained.... (capitalize S)
- What does "can be obtained implicitly" mean? Maybe reword to "Be aware that anyone with the permission to create a pod can retrieve Secrets."?
| @@ -47,6 +54,10 @@ A Secret can be used with a Pod in three ways: | |||
| - As [container environment variable](#using-secrets-as-environment-variables). | |||
| - By the [kubelet when pulling images](#using-imagepullsecrets) for the Pod. | |||
|
|
|||
| The Kubernetes control plane also uses Secrets; for example, | |||
There was a problem hiding this comment.
also uses Secrets. For example, ...
shannonxtreme
suggested changes
Apr 25, 2021
kbhawkey
reviewed
Apr 25, 2021
| {{< glossary_tooltip term_id="pod" >}} definition or in a | ||
| {{< glossary_tooltip text="container image" term_id="image" >}}. | ||
| See [Secrets design document](https://git.k8s.io/community/contributors/design-proposals/auth/secrets.md) for more information. | ||
|
|
||
| A Secret is an object that contains a small amount of sensitive data such as |
There was a problem hiding this comment.
I think it would help to add that a Secret is a core Kubernetes object (or something similar to that text)?
https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/#get-read-the-specified-secret
sftim
force-pushed
the
20210425_revise_secret_concept
branch
2 times, most recently
from
e6ca115 to
9a946d2
Compare
kbhawkey
reviewed
Jun 10, 2021
| strings. By default they can be retrieved - as plain text - by anyone with API | ||
| access, or anyone with access to Kubernetes' underlying data store, etcd. In | ||
| order to safely use Secrets, it is recommended you (at a minimum): | ||
| Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. |
There was a problem hiding this comment.
@sftim, These changes look good.
Should these new lines be wrapped at around the same character length as the other lines?
|
/kind cleanup |
k8s-ci-robot
added
the
kind/cleanup
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kbhawkey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
the
needs-rebase
sftim
force-pushed
the
20210425_revise_secret_concept
branch
from
9a946d2 to
7a8389c
Compare
|
Rebased, should be ready for review. |
k8s-ci-robot
removed
the
needs-rebase
|
I'm making an executive call here, @sftim, and choosing to treat the remaining unresolved issues as non-blocking :) Thank you so much for your hard work on this. /lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 3b21e8e7d8d96c5ffe7fec90f76716c1f148a023
|
|
@tengqm need sync to zh |
|
@zhangguanzhang With dev-1.22 "becoming" the new "main" branch, we have a lot of pages to resync. Will initiate an sprint to get this done. Thanks for reminding. |
shannonxtreme
added a commit
to shannonxtreme/website
that referenced
this pull request
Nov 11, 2021
I’ve been a member for a fair bit. Reviewed, worked on, or been involved in tracking 50+ PRs. Some highlights: * kubernetes#26848 * kubernetes#27716 * kubernetes#27739 * kubernetes#28870 * kubernetes#28740 * kubernetes#28617 Search for PRs involving me: https://github.com/kubernetes/website/pulls?page=2&q=is%3Apr+involves%3Ashannonxtreme
trierra
pushed a commit
to trierra/website
that referenced
this pull request
Nov 16, 2021
I’ve been a member for a fair bit. Reviewed, worked on, or been involved in tracking 50+ PRs. Some highlights: * kubernetes#26848 * kubernetes#27716 * kubernetes#27739 * kubernetes#28870 * kubernetes#28740 * kubernetes#28617 Search for PRs involving me: https://github.com/kubernetes/website/pulls?page=2&q=is%3Apr+involves%3Ashannonxtreme
trierra
pushed a commit
to trierra/website
that referenced
this pull request
Nov 16, 2021
I’ve been a member for a fair bit. Reviewed, worked on, or been involved in tracking 50+ PRs. Some highlights: * kubernetes#26848 * kubernetes#27716 * kubernetes#27739 * kubernetes#28870 * kubernetes#28740 * kubernetes#28617 Search for PRs involving me: https://github.com/kubernetes/website/pulls?page=2&q=is%3Apr+involves%3Ashannonxtreme
trierra
pushed a commit
to trierra/website
that referenced
this pull request
Nov 16, 2021
I’ve been a member for a fair bit. Reviewed, worked on, or been involved in tracking 50+ PRs. Some highlights: * kubernetes#26848 * kubernetes#27716 * kubernetes#27739 * kubernetes#28870 * kubernetes#28740 * kubernetes#28617 Search for PRs involving me: https://github.com/kubernetes/website/pulls?page=2&q=is%3Apr+involves%3Ashannonxtreme
trierra
pushed a commit
to trierra/website
that referenced
this pull request
Nov 16, 2021
I’ve been a member for a fair bit. Reviewed, worked on, or been involved in tracking 50+ PRs. Some highlights: * kubernetes#26848 * kubernetes#27716 * kubernetes#27739 * kubernetes#28870 * kubernetes#28740 * kubernetes#28617 Search for PRs involving me: https://github.com/kubernetes/website/pulls?page=2&q=is%3Apr+involves%3Ashannonxtreme
kevindelgado
pushed a commit
to kevindelgado/kubernetes.github.io
that referenced
this pull request
Nov 17, 2021
I’ve been a member for a fair bit. Reviewed, worked on, or been involved in tracking 50+ PRs. Some highlights: * kubernetes#26848 * kubernetes#27716 * kubernetes#27739 * kubernetes#28870 * kubernetes#28740 * kubernetes#28617 Search for PRs involving me: https://github.com/kubernetes/website/pulls?page=2&q=is%3Apr+involves%3Ashannonxtreme
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change is a subset of the changes from PR #24169 (a PR that has proved too big to review).
I will follow this up with further PRs to incorporate the other changes that #24169 suggests.
/sig storage