@@ -853,6 +853,54 @@ Secret updates.
853853
854854{{< /note >}}
855855
856+ {{< feature-state for_k8s_version="v1.18" state="alpha" >}}
857+
858+ <!--
859+ The Kubernetes alpha feature _Immutable Secrets and ConfigMaps_ provides an option to set
860+ individual Secrets and ConfigMaps as immutable. For clusters that extensively use Secrets
861+ (at least tens of thousands of unique Secret to Pod mounts), preventing changes to their
862+ data has the following advantages:
863+ -->
864+ Kubernetes 的 alpha 特性 _ 不可变的 Secret 和 ConfigMap_ 提供了一个设置各个 Secret 和 ConfigMap 为不可变的选项。
865+ 对于大量使用 Secret 的集群(至少有成千上万各不相同的 Secret 供 Pod 挂载),禁止变更它们的数据有下列好处:
866+
867+ <!--
868+ - protects you from accidental (or unwanted) updates that could cause applications outages
869+ - improves performance of your cluster by significantly reducing load on kube-apiserver, by
870+ closing watches for secrets marked as immutable.
871+ -->
872+ - 防止意外(或非预期的)更新导致应用程序中断
873+ - 通过将 Secret 标记为不可变来关闭 kube-apiserver 对其的监视,以显著地降低 kube-apiserver 的负载来提升集群性能。
874+
875+ <!--
876+ To use this feature, enable the `ImmutableEmphemeralVolumes`
877+ [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and set
878+ your Secret or ConfigMap `immutable` field to `true`. For example:
879+ -->
880+ 使用这个特性需要启用 ` ImmutableEmphemeralVolumes `
881+ [ 特性开关] ( /docs/reference/command-line-tools-reference/feature-gates/ ) 并将 Secret 或 ConfigMap 的 ` immutable ` 字段设置为 ` true ` . 例如:
882+
883+ ``` yaml
884+ apiVersion : v1
885+ kind : Secret
886+ metadata :
887+ ...
888+ data :
889+ ...
890+ immutable : true
891+ ` ` `
892+
893+ <!--
894+ Once a Secret or ConfigMap is marked as immutable, it is _not_ possible to revert this change
895+ nor to mutate the contents of the ` data` field. You can only delete and recreate the Secret.
896+ Existing Pods maintain a mount point to the deleted Secret - it is recommended to recreate
897+ these pods.
898+ -->
899+ {{< note >}}
900+ 一旦一个 Secret 或 ConfigMap 被标记为不可变,撤销此操作或者更改 `data` 字段的内容都是 _不_ 可能的。
901+ 只能删除并重新创建这个 Secret. 现有的 Pod 将维持对已删除 Secret 的挂载点 - 建议重新创建这些 pod.
902+ {{< /note >}}
903+
856904<!--
857905# ## Using Secrets as Environment Variables
858906
0 commit comments