-
Bug
-
Resolution: Done
-
Critical
-
ACM 2.9.4
-
2
-
False
-
None
-
False
-
-
-
GRC Sprint 2024-13
-
Critical
-
+
-
No
Improvement To Be Made By Engineering Team:
- Ignore the "imagePullSecrets" and "secrets" fields on ServiceAccount objects since they are essentially status and automatically managed by Kubernetes.
Description of problem:
The compliance type mustonlyhave on config-policy-controller creates numerous secrets. This has been implemented in ACM-11045.
The creation of tens of thousands of secrets causing etcd to slow down and crash on multiple clusters. This started after the automated update of the ACM Operator to version 2.9.4
Version-Release number of selected component (if applicable):
ACM 2.9.4
How reproducible:
Always
Steps to Reproduce:
- Have a policy with kind serviceccount and complianceType: mustonlyhave.
- Run this in a cluster with ACM, the SA tokens keep generating.
Actual results:
The secrets are continuously being created.
Expected results:
Only one secret should be created.
Additional info:
Workaround is to change the policy compliance type to:
complianceType: musthave
and reapply, they stop generating.
- is cloned by
-
ACM-12711 [2.10] The compliance type mustonlyhave on config-policy-controller creates numerous secrets
- Closed
-
ACM-12712 [2.11.1] The compliance type mustonlyhave on config-policy-controller creates numerous secrets
- Closed
- is duplicated by
-
ACM-12710 [2.9] The compliance type mustonlyhave on config-policy-controller creates numerous secrets
- Closed