Hi Team

As per the documentation link: Kube api-server is supposed to validate the keys for secret type: kubernetes.io/basic-auth.
However, I have observed that secrets are still being created if the valid keys are not in the secret manifest.

https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret

apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: admin # required field for kubernetes.io/basic-auth

Thanks for mentioning this. What's not right about the documentation, in your opinion, @thinkvatsa?

/language en

As per documentation, for the secret type: kubernetes.io/basic-auth, they keys (username, password) are validated during secret creation.

However, I am able to generate this secret of type kubernetes.io/basic-auth without mentioning password key in the manifest.

Is the documentation correct? If yes, then validation is missing? @sftim

It sounds like you're saying that specifically

The Kubernetes API verifies that the required keys are set for a Secret of this type.

is wrong. As well as removing that text, we make it clear that “must” means ”you are expected to ensure this” and not “your cluster enforces this“.

/triage accepted

If you want the cluster to enforce that those keys are set, you could make a feature request @thinkvatsa.

As an aside: would be nice to document some ValidatingAdmissionPolicies that do enforce this rule.

/assign @pegasas
I will create a PR for fixing this.