From a0405db692b9e801efd1e21efea42948401ecbeb Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Thu, 16 Jun 2022 22:02:53 +0000 Subject: [PATCH] add more details for livez and readyz Signed-off-by: Anish Ramasekar --- keps/sig-auth/3299-kms-v2-improvements/README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/keps/sig-auth/3299-kms-v2-improvements/README.md b/keps/sig-auth/3299-kms-v2-improvements/README.md index b5ca11da34d..80f8453db59 100644 --- a/keps/sig-auth/3299-kms-v2-improvements/README.md +++ b/keps/sig-auth/3299-kms-v2-improvements/README.md @@ -539,10 +539,13 @@ No. ###### How does this feature react if the API server and/or etcd is unavailable? -- This feature is part of API server. The feature is unavailable if API server is unavailable. -- ETCD data encryption with external kms-plugin is unavailable +- This feature is part of API server. The feature is unavailable if API server is unavailable. ETCD data encryption with external kms-plugin will be unavailable. - If the API server is unavailable, clients will be unable to create/get data that's stored in etcd. There will be no requests from the API server to the kms-plugin. -- If the `EncryptionConfiguration` configured in the API server is not valid and the API server is restarted, it'll fail health check (same behavior as today). +- If the `EncryptionConfiguration` file configured in the control plane node is not valid: + - API server when restarted will fail at startup as it's unable to load the EncryptionConfig. This behavior is consistent with the KMS v1 API. The encryption configuration needs to be fixed to allow the API server to start properly. +- If the KMS plugin is unavailable: + - API server when restarted will fail health check as it's unable to connect to the KMS plugin. The `/livez` and `/readyz` endpoints will show a `failed` health check for the kms provider. This behavior is consistent with the KMS v1 API. Refer to [docs](https://kubernetes.io/docs/reference/using-api/health-checks/) for the health API endpoints and how to exclude individual endpoints from causing the API server to fail health check. + - To resolve the issue, the kms plugin must be fixed to be available. The logs in the kms-plugin should be indicative of the issue. ## Implementation History