Add deprecation warnings for enforce-mountable-secrets annotation

ritazh · ritazh · commit 926db124d082 · 2024-11-19T07:59:43.000-08:00
diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md
@@ -674,6 +674,8 @@ For more information, you can refer to the [documentation about this annotation]
 {{< warning >}}
 Any containers that run with `privileged: true` on a node can access all
 Secrets used on that node.
+
+`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
 {{< /warning >}}
 
 ## {{% heading "whatsnext" %}}
diff --git a/content/en/docs/concepts/security/secrets-good-practices.md b/content/en/docs/concepts/security/secrets-good-practices.md
@@ -68,6 +68,10 @@ You can also use the `kubernetes.io/enforce-mountable-secrets` annotation on
 a ServiceAccount to enforce specific rules on how Secrets are used in a Pod.
 For more details, see the [documentation on this annotation](/docs/reference/labels-annotations-taints/#enforce-mountable-secrets).
 
+{{< warning >}}
+`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
+{{< /warning >}}
+
 ### Improve etcd management policies
 
 Consider wiping or shredding the durable storage used by `etcd` once it is
diff --git a/content/en/docs/concepts/security/service-accounts.md b/content/en/docs/concepts/security/service-accounts.md
@@ -199,6 +199,10 @@ You can also use TokenRequest to obtain short-lived tokens for your external app
 
 ### Restricting access to Secrets {#enforce-mountable-secrets}
 
+{{< warning >}}
+`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
+{{< /warning >}}
+
 Kubernetes provides an annotation called `kubernetes.io/enforce-mountable-secrets`
 that you can add to your ServiceAccounts. When this annotation is applied,
 the ServiceAccount's secrets can only be mounted on specified types of resources,
diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md
@@ -789,6 +789,10 @@ Regarding the annotation `kubernetes.io/enforce-mountable-secrets`: While the an
 its enforcement also extends to other ways Secrets are used in the context of a Pod.
 Therefore, it is crucial to ensure that all the referenced secrets are correctly specified in the ServiceAccount.
 
+{{< warning >}}
+`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
+{{< /warning >}}
+
 ### StorageObjectInUseProtection
 
 **Type**: Mutating.
diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -806,6 +806,10 @@ This annotation is used for describing specific behaviour of given object.
 
 ### kubernetes.io/enforce-mountable-secrets {#enforce-mountable-secrets}
 
+{{< warning >}}
+`kubernetes.io/enforce-mountable-secrets` is deprecated in v1.32+. Use separate namespaces to isolate access to mounted secrets.
+{{< /warning >}}
+
 Type: Annotation
 
 Example: `kubernetes.io/enforce-mountable-secrets: "true"`
