Multiple copies of encryption-config secret in openshift-kube-apiserver namespace

Solution Verified - Updated -

Issue

  • The openshift-kube-apiserver maintains multiple copies of the encryption-config secrets:

    $ oc get secrets -n openshift-kube-apiserver | grep "encryption-config"
encryption-config                           Opaque                                1      73d
[...]
encryption-config-13                        Opaque                                1      73d
encryption-config-14                        Opaque                                1      73d
[...]
encryption-config-30                        Opaque                                1      45d
[...]
encryption-config-267                       Opaque                                1      1d
[...]

  • The encryption-config secrets are marked for deletion, but never deleted as a finalizer avoids it:

    metadata:
annotations:
kubernetes.io/description: |-
  WARNING: DO NOT EDIT.
  Altering of the encryption secrets will render you cluster inaccessible.
  Catastrophic data loss can occur from the most minor changes.
creationTimestamp: "2024-02-22T23:42:02Z"
deletionGracePeriodSeconds: 0
deletionTimestamp: "2024-03-01T00:24:40Z"
finalizers:
- encryption.apiserver.operator.openshift.io/deletion-protection
name: encryption-config-236
namespace: openshift-kube-apiserver

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content