openshift-kube-apiserver maintain multiple copied of encryption-config secret
Issue
-
openshift-kube-apiserver maintain multiple copied of encryption-config secret.
$ oc get secrets -n openshift-kube-apiserver | grep config encryption-config Opaque 1 73d encryption-config-13 Opaque 1 73d encryption-config-14 Opaque 1 73d encryption-config-15 Opaque 1 69d encryption-config-16 Opaque 1 66d encryption-config-17 Opaque 1 66d encryption-config-18 Opaque 1 62d encryption-config-19 Opaque 1 62d encryption-config-20 Opaque 1 60d encryption-config-21 Opaque 1 59d encryption-config-22 Opaque 1 59d encryption-config-23 Opaque 1 59d encryption-config-24 Opaque 1 52d encryption-config-25 Opaque 1 52d encryption-config-26 Opaque 1 52d encryption-config-27 Opaque 1 52d encryption-config-28 Opaque 1 47d encryption-config-29 Opaque 1 45d encryption-config-30 Opaque 1 45d
-
The
encryption-config-*
secrets are marked for deletion, but never deleted as afinalizer
avoids it:metadata: annotations: kubernetes.io/description: |- WARNING: DO NOT EDIT. Altering of the encryption secrets will render you cluster inaccessible. Catastrophic data loss can occur from the most minor changes. creationTimestamp: "2024-02-22T23:42:02Z" deletionGracePeriodSeconds: 0 deletionTimestamp: "2024-03-01T00:24:40Z" finalizers: - encryption.apiserver.operator.openshift.io/deletion-protection name: encryption-config-236 namespace: openshift-kube-apiserver
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.