Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Major
Fix Version/s: None
Affects Version/s: 4.13, 4.12, 4.14
Component/s: kube-apiserver
Labels:

Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:
PX Review Complete:

Description of problem:

We have seen when customer enabled the ETCD encryption, due to this every week encryption-config generated for kube-apiserver which is increasing the secret count in openshift-kube-apiserver namespace. Which is not getting deleted automatically after some time or new key generation.

We have seen this issue in every version of OCP cluster.

As of now we are suggesting to delete these secrets using the KCS: https://access.redhat.com/solutions/7039646

As per the document the encryption config secrets rotates every week.

https://docs.openshift.com/container-platform/4.12/security/encrypting-etcd.html#enabling-etcd-encryption_encrypting-etcd

Those should be deleted automatically in every-version.

We have seen those grows so much which increases the load of the master node.

Few examples of cases: 03839575, 03844152, 03841579

There are many other examples.

relates to

API-1889 Add kube-apiserver option to configure encryption-key secrets TTL

Assignee:: Jan Chaloupka

Reporter:: Vimal Solanki

QA Contact:: Ke Wang

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/06/18 12:10 PM

Updated:: 2025/02/11 2:14 PM

Resolved:: 2025/02/11 2:14 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates