[WIP] Rewrite Secret concept

[sftim]

• Fix bug Secrets documentation incorrectly states that kubelet/node compromise gives access to all secrets in the cluster #21435 (dated information about all nodes having access to all Secrets)
• Tidy to match website style guide
• Expand the overview
• Use callout blocks for notes, warnings and cautions where it seems appropriate
• General rewording
• Page restructuring
  • Move all the information security details into one place
  • Consolidate details and advice about Kubernetes behavior if a Secret is missing, or if it exists but lacks a mandatory key
• Trim detailed information about checking permissions on projected data
  (because that level of detail belongs in a task page, not a concept page)

Preview

Note to reviewers:

• this PR does not excise or migrate https://kubernetes.io/docs/concepts/configuration/secret/#use-cases. I think it would be good for a future PR / separate piece of work to look at moving that part of the page into the Tasks part of the documentation.
• this PR does not switch the code samples into {{< codenew >}} blocks; it's size/XL as it is!

/language en
/sig apps
/sig security

Fixes: #21435

[netlify]

✔️ Deploy Preview for kubernetes-io-main-staging ready!

🔨 Explore the source changes: 22c5b45

🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/60cd31d0d668d8a572044cac

😎 Browse the preview: https://deploy-preview-24169--kubernetes-io-main-staging.netlify.app

[kbhawkey]

Related to #23825

[tengqm]

This is inaccurate. Not all Secret are referenced in container definition. Right?

[sftim]

Good point, this could be misleading.

[kbhawkey]

nit: You could write,
However, Secrets are ...
instead of
However, Secret objects

[kbhawkey]

@sftim, Have you resolved the question about lines 40-41?

[sftim]

Yep, I think this is addressed.

[kbhawkey]

OK

[tengqm]

Please remove the 'caution' shortcode?

[tengqm]

None of the Pod's containers will start until all non-optional Secrets are available.

Please revise this "none ... until all non-optional ..." sentence.

[sftim]

I could switch this from a caution to a note.

[kbhawkey]

This is a bit of a mashup of note and warning.
You are indicating to the reader that Secrets can be declared "optional" in the Pod configuration.
Then secondly, you warn that a Pod's containers are prevented from starting until the "required" or "non-optional" Secrets are ready. Could the first sentence move out of the callout?

[tengqm]

Suggested change

	reference actually points to an object of type Secret. Therefore, a secret
	reference actually points to an object of type Secret. Therefore, a Secret

[tengqm]

we use 'because of' for positive conditions and 'due to' for negative ones?

[sftim]

I'm not sure that's true, but varying the wording makes the text more pleasing anyway. I'll reword.

[tengqm]

Suggested change

	If the secret cannot be fetched because it does not exist or
	If the Secret cannot be fetched because it does not exist or

[tengqm]

In general, I'd suggest we move these contents (with examples) about using secret into the tasks section. We already have a lot of duplicated contents on this topic.

[sftim]

I hope that can wait for a follow-up PR as I'd love to get these changes merged.

[tengqm]

please remove the 'note' shortcode unless we have a good reason to do so.

[sftim]

I think this is a detail readers need to know. Is it not?

[tengqm]

Everything documented here is something readers need to know, but that doesn't mean we need to wrap them into a note.

[sftim]

Fair enough!

[tengqm]

I don't think we are encouraged to use FIVE '#' as subsections. If we do, we have a problem with content organization.

[kbhawkey]

I agree. When the content gets to heading level 5, the readability of the content decreases. That said, I need to look at the rendered page again.

[sftim]

we have a problem with content organization

This, I think. However I think this addition helps get this change mergeable. We can track further work to improve the updated page.

[tengqm]

at the path .... file

This reads strange.

[tengqm]

Please avoid flooding the page with 'note' shortcode. We can treat all contents as noteworthy or else we won't document them.

[sftim]

I wonder if the answer here is a new kind of callout with a more subtle highlight color (eg gray).

I want to call this out but only a little bit.

[kbhawkey]

Seems like you could make it a note or not.

[tengqm]

Callouts are useful for unexpected warnings, subtle hints, ...
Since shortcodes are creating quite some issues for localization, I'd suggest we use them carefully.

[tengqm]

Where are these content now?

[sftim]

Gone. This page is about Secrets and is quite long. I propose not telling readers here about how to represent POSIX file modes in JSON, because it's several steps removed from answering the question “In Kubernetes, what is a Secret?”

[tengqm]

I agree this is not the right place to mention POSIX file modes. Somewhere we still need to call this out because it is something that may get people trapped.

[sftim]

Could that be on a (future) task page? I could log an issue to to that migration etc.

[tengqm]

Logging an issue sounds an option, but the rule of thumb here is do not aimlessly drop useful information.

[sftim]

I've revised the wording to include the cautionary message, less verbosely.

[kbhawkey]

nit: double use of "automatically". Could write:
By default, the Kubernetes control plane modifies newly-added Pods to use this type of Secret.
Which type of Secret?

[tengqm]

I think "this type of Secret" means service account Secrets.

[kbhawkey]

Wording: "The program" to "The application"? There are a few places in this page where "program" is used in a sentence.

[sftim]

Is “program” wrong? It makes sense to me.

[kbhawkey]

The program in a container ...
I'd have to reread again. Which program?

[sftim]

A running container always has one main process (PID 1 on POSIX), and has 0 or more other processes (typically zero). Each process is running program code.

[sftim]

BTW @mikedanese would you like to nominate additional reviewer(s) for this concept?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mbevc1
To complete the pull request process, please ask for approval from sftim after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sftim]

To me, this is a rewrite rather than a revision to the Secret concept

Yep. I think it needs a rewrite. I'm open to persuasion that the existing page is already of good enough quality, but I think it would take a lot to convince me.

Rather than reviewing as a set of changes, I recommend comparing the preview to the current page.

If the new page is better than the existing one, then I recommend merging it. If not, I'd like feedback on the new page (as if we were adding a new document), so that I can understand how to improve the rewritten page.

I did not excise or migrate https://kubernetes.io/docs/concepts/configuration/secret/#use-cases. I can do, but I think that this PR is large enough without also touching that section.

@tengqm mentioned localization.
If the existing page requires improvement in English, then in my view it requires improvement in all its downstream localizations as well.

/retitle Rewrite Secret concept

[sftim]

/hold
This should not merge until v1.21 is released, because the merge conflict in that case would be more effort than is justified.
After v1.21 is released I can rebase this.

[kbhawkey]

Hi. I will read the changes again, looking at the organization of the concepts.
It is reasonable to rewrite or accept improvements to the existing content.
If there are technical questions, I'd suggest having the content reviewed by more than one member of SIG Security or SIG apps.
This is an important concept and I'd like to see this PR progress. Thanks.

[sftim]

Thanks for all reviews so far!

[k8s-ci-robot]

@sftim: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jihoon-seo]

/hold
This should not merge until v1.21 is released, because the merge conflict in that case would be more effort than is justified.
After v1.21 is released I can rebase this.

@sftim As of now, K8s v1.21 and v1.22 are released! 😊

[sftim]

My plan for this PR is to break into into smaller PRs (such as #27716) that are easier to review.

There is more to do on that front.

[sftim]

/retitle [WIP] Rewrite Secret concept

[jimangel]

@sftim this is k/website's oldest open PR. Shall we close it (I would like to see the content merge) or do you need help getting it out of WIP?

[sftim]

I already split out #27716 and do intend to split other PRs out of this one. I'd like to leave this (as WIP) for a bit longer, hoping to allocate time to the other changes that this larger PR wanted to make.

[sftim]

If anyone else wants to help with that splitting up, I shan't complain.

[sftim]

I'll close this and work on new PRs.

[sftim]

/close

[k8s-ci-robot]

@sftim: Closed this PR.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.