Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add deprecation warnings for enforce-mountable-secrets annotation #48771

Open
wants to merge 2 commits into
base: dev-1.32
Choose a base branch
from

Conversation

ritazh
Copy link
Member

@ritazh ritazh commented Nov 19, 2024

Description

Add warnings for deprecated kubernetes.io/enforce-mountable-secrets annotation. Encourage the use of separate namespaces when isolation is desired.

Issue

Closes: #

/sig auth
/cc @liggitt

@k8s-ci-robot k8s-ci-robot added this to the 1.32 milestone Nov 19, 2024
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language labels Nov 19, 2024
Copy link

netlify bot commented Nov 19, 2024

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name Link
🔨 Latest commit 3b8c927
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/673ea26cbadbd20008d86558

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Nov 19, 2024
@ritazh ritazh changed the title Add deprecation warnings for enforce-mountable-secrets annotation Add docs for deprecated annotation Nov 19, 2024
@ritazh ritazh changed the title Add docs for deprecated annotation Add deprecation warnings for enforce-mountable-secrets annotation Nov 19, 2024
Copy link

netlify bot commented Nov 19, 2024

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 3b8c927
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/673ea26c7e78e500087efdc9
😎 Deploy Preview https://deploy-preview-48771--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@liggitt
Copy link
Member

liggitt commented Nov 19, 2024

/lgtm
for technical content

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 19, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 8b403a873f69216ce71d77033b385d7d24d13ce7

@stmcginnis
Copy link
Contributor

/lgtm

Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, but:

  • please follow the style guide
    • use note callouts, not warning
    • small but important detail: don't deprecate the annotation except in the well-known list. Deprecate setting it.
    • It'll have been deprecated "since Kubernetes v1.32", not "in v1.32+"
  • we should also remove or reword all places where we recommend setting the annotation

Comment on lines 809 to 811
{{< warning >}}
`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
{{< /warning >}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move this to below the "Used on" line

@@ -806,6 +806,10 @@ This annotation is used for describing specific behaviour of given object.

### kubernetes.io/enforce-mountable-secrets {#enforce-mountable-secrets}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### kubernetes.io/enforce-mountable-secrets {#enforce-mountable-secrets}
### kubernetes.io/enforce-mountable-secrets (deprecated) {#enforce-mountable-secrets}

Comment on lines 202 to 204
{{< warning >}}
`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
{{< /warning >}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd use a feature-state shortcode here.

@@ -674,6 +674,8 @@ For more information, you can refer to the [documentation about this annotation]
{{< warning >}}
Any containers that run with `privileged: true` on a node can access all
Secrets used on that node.

`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Omit this, and reword or remove the earlier text:

To enhance the security measures around Secrets, Kubernetes provides a mechanism: you can
annotate a ServiceAccount as kubernetes.io/enforce-mountable-secrets: "true".

@sftim
Copy link
Contributor

sftim commented Nov 19, 2024

Because this PR adds warnings (as in: warning-level callouts), and we try to be really sparing with these, I suggest we don't merge this yet.

@sftim

This comment was marked as outdated.

@sftim
Copy link
Contributor

sftim commented Nov 19, 2024

Oops. Wrong PR.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 20, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from sftim. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 20, 2024
@ritazh ritazh force-pushed the deprecate-EnforceMountableSecretsAnnotation branch from b91bcec to 1fb2c74 Compare November 20, 2024 06:56
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

One nit; good to merge as is.

@@ -62,12 +62,16 @@ recommendations include:
* Implement audit rules that alert on specific events, such as concurrent
reading of multiple Secrets by a single user

#### Additional ServiceAccount annotations for Secret management
#### Additional ServiceAccount annotations for Secret management (deprecated)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use a singular here.

Suggested change
#### Additional ServiceAccount annotations for Secret management (deprecated)
#### ServiceAccount annotation for Secret management (deprecated) {#additional-serviceaccount-annotations-for-secret-management}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The point of having a customized anchor ID is to make it easy to reference this section or subsection. In that spirit, I'd suggest we use a shorter ID which is
unique and clear enough in this page. For example, #additional-annotation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree about the point. My intention here was for existing links to stay working.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 20, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 6fc7f116f79f151c01bec30aadc3d6fcfcc12b1a

@@ -62,12 +62,16 @@ recommendations include:
* Implement audit rules that alert on specific events, such as concurrent
reading of multiple Secrets by a single user

#### Additional ServiceAccount annotations for Secret management
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, in a page about good practice, maybe we should simply be recommending using namespaces as trust boundaries?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, IMO this section should be replaced with the following but I’m not sure how this impacts users who may have bookmarked the old section.

Restrict Access for Secrets

Use separate namespaces to isolate access to mounted secrets.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
@ritazh ritazh force-pushed the deprecate-EnforceMountableSecretsAnnotation branch from 1fb2c74 to 3b8c927 Compare November 21, 2024 03:00
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 21, 2024
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants