openshift-kube-apiserver maintain multiple copied of encryption-config secret

Solution Verified - Updated -

Issue

  • openshift-kube-apiserver maintain multiple copied of encryption-config secret.

    $ oc get secrets -n openshift-kube-apiserver | grep config
    encryption-config                           Opaque                                1      73d
    encryption-config-13                        Opaque                                1      73d
    encryption-config-14                        Opaque                                1      73d
    encryption-config-15                        Opaque                                1      69d
    encryption-config-16                        Opaque                                1      66d
    encryption-config-17                        Opaque                                1      66d
    encryption-config-18                        Opaque                                1      62d
    encryption-config-19                        Opaque                                1      62d
    encryption-config-20                        Opaque                                1      60d
    encryption-config-21                        Opaque                                1      59d
    encryption-config-22                        Opaque                                1      59d
    encryption-config-23                        Opaque                                1      59d
    encryption-config-24                        Opaque                                1      52d
    encryption-config-25                        Opaque                                1      52d
    encryption-config-26                        Opaque                                1      52d
    encryption-config-27                        Opaque                                1      52d
    encryption-config-28                        Opaque                                1      47d
    encryption-config-29                        Opaque                                1      45d
    encryption-config-30                        Opaque                                1      45d
    
  • The encryption-config-* secrets are marked for deletion, but never deleted as a finalizer avoids it:

    metadata:
    annotations:
    kubernetes.io/description: |-
      WARNING: DO NOT EDIT.
      Altering of the encryption secrets will render you cluster inaccessible.
      Catastrophic data loss can occur from the most minor changes.
    creationTimestamp: "2024-02-22T23:42:02Z"
    deletionGracePeriodSeconds: 0
    deletionTimestamp: "2024-03-01T00:24:40Z"
    finalizers:
    - encryption.apiserver.operator.openshift.io/deletion-protection
    name: encryption-config-236
    namespace: openshift-kube-apiserver
    

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content