Explain that file-based pods cannot use secrets.

bronhaim · Jun 2, 2015 · bd8e7d8 · bd8e7d8
1 parent f2a6d63
commit bd8e7d8
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/secrets.md b/secrets.md
@@ -1,4 +1,3 @@
-# Secret Distribution
 
 ## Abstract
 
@@ -184,6 +183,11 @@ For now, we will not implement validations around these limits.  Cluster operato
 much node storage is allocated to secrets. It will be the operator's responsibility to ensure that
 the allocated storage is sufficient for the workload scheduled onto a node.
 
+For now, kubelets will only attach secrets to api-sourced pods, and not file- or http-sourced
+ones.  Doing so would:
+  - confuse the secrets admission controller in the case of mirror pods.
+  - create an apiserver-liveness dependency -- avoiding this dependency is a main reason to use non-api-source pods.
+
 ### Use-Case: Kubelet read of secrets for node
 
 The use-case where the kubelet reads secrets has several additional requirements: