Details
-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.10, 4.14.0
-
Important
-
No
-
Rejected
-
False
-
Description
Description of problem:
The encryption-config secret in the kube-apiserver project should only be updated weekly when the key is rotated, as per the OCP docs (). The customer's encryption-config secret is being updated far more frequently, occasionally up to three or four times in a single day. Each time is triggering a kube-apiserver pod rollout, which is putting unnecessary stress on the cluster.
Version-Release number of selected component (if applicable):
OCP 4.10
How reproducible:
Checking the frequency of the encryption-config updates: oc get secrets -n openshift-kube-apiserver | grep encryption-config … encryption-config Opaque 1 37h encryption-config-14 Opaque 1 37h encryption-config-15 Opaque 1 37h encryption-config-16 Opaque 1 37h …
Steps to Reproduce:
Checking the frequency of the encryption-config updates: oc get secrets -n openshift-kube-apiserver | grep encryption-config
Actual results:
… encryption-config Opaque 1 37h encryption-config-14 Opaque 1 37h encryption-config-15 Opaque 1 37h encryption-config-16 Opaque 1 37h …
Expected results:
… encryption-config Opaque 1 21d encryption-config-14 Opaque 1 14d encryption-config-15 Opaque 1 7d encryption-config-16 Opaque 1 1d …
Additional info: