kubectl apply will always show configured For Secrets
When you apply a Secret YAML file using kubectl apply, it will always show "configured," even if there are no changes.
$ k apply -f app-secret.yaml
secret/app-secret created
$ k apply -f app-secret.yaml
secret/app-secret configured
$ k apply -f app-secret.yaml
secret/app-secret configured
This is because the annotation kubectl.kubernetes.io/last-applied-configuration is updated to match the applied YAML file.
The kubectl.kubernetes.io/last-applied-configuration annotation is used by Kubernetes to store the last configuration applied to a resource using kubectl apply. This annotation helps Kubernetes keep track of the configuration state
However, when you apply a ConfigMap YAML file using kubectl apply, it will show "unchanged" if there are no actual changes to the data or metadata.
$ k apply -f configmap.yaml
configmap/custom-index-html created
$ k apply -f configmap.yaml
configmap/custom-index-html unchanged
$ k apply -f configmap.yaml
configmap/custom-index-html unchangedWhat is the logic behind it?
The logic behind the kubectl.kubernetes.io/last-applied-configuration annotation changes for Secrets but not for ConfigMaps primarily revolves around the nature of the data and the security implications associated with these resources.
Hereβs why.
Secrets contain sensitive information such as passwords, tokens, and keys. Ensuring the integrity and traceability of these resources is important for security.
Kubernetes places a strong emphasis on maintaining an audit trail for Secrets to track any changes, even if they are reapplications of the same configuration. This helps in monitoring and auditing access and modifications to sensitive data.
Updating the last-applied-configuration annotation for Secrets ensures that there is a clear and precise record of every application of the Secret configuration.
This is important for compliance and auditability, as it allows administrators to trace the history of changes and applications to the Secret.