From 8499705a68a536e87a78990e7573c0a36b55a78e Mon Sep 17 00:00:00 2001
From: Michael Fraenkel <michael.fraenkel@gmail.com>
Date: Thu, 9 Mar 2017 14:50:42 -0800
Subject: [PATCH] Document pod lifecycle when using EnvFrom

- Pods do not start with missing ConfigMaps or Secrets
- Pods do not start with missing keys in ConfigMaps or Secrets
- Pods start with invalid keys when referring to entire ConfigMaps or
Secrets.  An event documents the skipped keys from said resource.
---
 docs/user-guide/configmap/index.md | 20 ++++++++++++++++++--
 docs/user-guide/secrets/index.md   | 20 ++++++++++++++++++++
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/configmap/index.md b/docs/user-guide/configmap/index.md
index ae5880c162dcd..66b6554eb7b91 100644
--- a/docs/user-guide/configmap/index.md
+++ b/docs/user-guide/configmap/index.md
@@ -592,10 +592,27 @@ $ kubectl exec -it redis redis-cli
 ## Restrictions
 
 ConfigMaps must be created before they are consumed in pods unless they are
-marked as optional.  Controllers may be written to tolerate missing
+marked as optional.  References to ConfigMaps that do not exist will prevent
+the pod from starting.  Controllers may be written to tolerate missing
 configuration data; consult individual components configured via ConfigMap on
 a case-by-case basis.
 
+References via configMapKeyRef to keys that do not exist in a named ConfigMap
+will prevent the pod from starting.
+
+ConfigMaps used to populate environment variables via envFrom that have keys
+that are considered invalid environment variable names will have those keys
+skipped.  The pod will be allowed to start.  There will be an event whose
+reason is InvalidVariableNames and the message will contain the list of
+invalid keys that were skipped. The example shows a pod which refers to the
+default/myconfig ConfigMap that contains 2 invalid keys, 1badkey and 2alsobad.
+
+```shell
+$ kubectl.sh get events
+LASTSEEN   FIRSTSEEN   COUNT     NAME            KIND      SUBOBJECT                         TYPE      REASON
+0s         0s          1         dapi-test-pod   Pod                                         Warning   InvalidEnvironmentVariableNames   kubelet, 127.0.0.1      Keys [1badkey, 2alsobad] from the EnvFrom configMap default/myconfig were skipped since they are considered invalid environment variable names.
+```
+
 ConfigMaps reside in a namespace.   They can only be referenced by pods in the same namespace.
 
 Quota for ConfigMap size is a planned feature.
@@ -605,4 +622,3 @@ created using kubectl, or indirectly via a replication controller.  It does not
 via the Kubelet's `--manifest-url` flag, its `--config` flag, or its REST API (these are not common
 ways to create pods.)
 
-**NOTE:** The key-value `optional:true` is supported for Kubernetes 1.6 and above.
diff --git a/docs/user-guide/secrets/index.md b/docs/user-guide/secrets/index.md
index 8b7c7ae2fbd62..ffe50730f1f18 100644
--- a/docs/user-guide/secrets/index.md
+++ b/docs/user-guide/secrets/index.md
@@ -468,6 +468,26 @@ controller.  It does not include pods created via the kubelets
 `--manifest-url` flag, its `--config` flag, or its REST API (these are
 not common ways to create pods.)
 
+Secrets must be created before they are consumed in pods as environment
+variables unless they are marked as optional.  References to Secrets that do not exist will prevent
+the pod from starting.
+
+References via secretKeyRef to keys that do not exist in a named Secret
+will prevent the pod from starting.
+
+Secrets used to populate environment variables via envFrom that have keys
+that are considered invalid environment variable names will have those keys
+skipped.  The pod will be allowed to start.  There will be an event whose
+reason is InvalidVariableNames and the message will contain the list of
+invalid keys that were skipped. The example shows a pod which refers to the
+default/mysecret ConfigMap that contains 2 invalid keys, 1badkey and 2alsobad.
+
+```shell
+$ kubectl.sh get events
+LASTSEEN   FIRSTSEEN   COUNT     NAME            KIND      SUBOBJECT                         TYPE      REASON
+0s         0s          1         dapi-test-pod   Pod                                         Warning   InvalidEnvironmentVariableNames   kubelet, 127.0.0.1      Keys [1badkey, 2alsobad] from the EnvFrom secret default/mysecret were skipped since they are considered invalid environment variable names.
+```
+
 ### Secret and Pod Lifetime interaction
 
 When a pod is created via the API, there is no check whether a referenced