Merge pull request #48771 from ritazh/deprecate-EnforceMountableSecretsAnnotation

Add deprecation warnings for enforce-mountable-secrets annotation

content/en/docs/concepts/configuration/secret.md

@@ -666,10 +666,7 @@ Therefore, one Pod does not have access to the Secrets of another Pod.
 
 ### Configure least-privilege access to Secrets
 
-To enhance the security measures around Secrets, Kubernetes provides a mechanism: you can
+To enhance the security measures around Secrets, use separate namespaces to isolate access to mounted secrets.
-annotate a ServiceAccount as `kubernetes.io/enforce-mountable-secrets: "true"`.
-
-For more information, you can refer to the [documentation about this annotation](/docs/concepts/security/service-accounts/#enforce-mountable-secrets).
 
 {{< warning >}}
 Any containers that run with `privileged: true` on a node can access all

content/en/docs/concepts/security/secrets-good-practices.md

@@ -62,11 +62,8 @@ recommendations include:
 *  Implement audit rules that alert on specific events, such as concurrent
    reading of multiple Secrets by a single user
 
-#### Additional ServiceAccount annotations for Secret management
+#### Restrict Access for Secrets
-
+Use separate namespaces to isolate access to mounted secrets.
-You can also use the `kubernetes.io/enforce-mountable-secrets` annotation on
-a ServiceAccount to enforce specific rules on how Secrets are used in a Pod.
-For more details, see the [documentation on this annotation](/docs/reference/labels-annotations-taints/#enforce-mountable-secrets).
 
 ### Improve etcd management policies
 

content/en/docs/concepts/security/service-accounts.md

@@ -197,7 +197,13 @@ or using a custom mechanism such as an [authentication webhook](/docs/reference/
 You can also use TokenRequest to obtain short-lived tokens for your external application.
 {{< /note >}}
 
-### Restricting access to Secrets {#enforce-mountable-secrets}
+### Restricting access to Secrets (deprecated) {#enforce-mountable-secrets}
+
+{{< feature-state for_k8s_version="v1.32" state="deprecated" >}}
+
+{{< note >}}
+`kubernetes.io/enforce-mountable-secrets` is deprecated since Kubernetes v1.32. Use separate namespaces to isolate access to mounted secrets.
+{{< /note >}}
 
 Kubernetes provides an annotation called `kubernetes.io/enforce-mountable-secrets`
 that you can add to your ServiceAccounts. When this annotation is applied,

content/en/docs/reference/access-authn-authz/admission-controllers.md

@@ -785,9 +785,7 @@ The Kubernetes project strongly recommends enabling this admission controller.
 You should enable this admission controller if you intend to make any use of Kubernetes
 `ServiceAccount` objects.
 
-Regarding the annotation `kubernetes.io/enforce-mountable-secrets`: While the annotation's name suggests it only concerns the mounting of Secrets,
+To enhance the security measures around Secrets, use separate namespaces to isolate access to mounted secrets.
-its enforcement also extends to other ways Secrets are used in the context of a Pod.
-Therefore, it is crucial to ensure that all the referenced secrets are correctly specified in the ServiceAccount.
 
 ### StorageObjectInUseProtection
 

content/en/docs/reference/labels-annotations-taints/_index.md

@@ -804,7 +804,7 @@ Used on: All Objects
 
 This annotation is used for describing specific behaviour of given object.
 
-### kubernetes.io/enforce-mountable-secrets {#enforce-mountable-secrets}
+### kubernetes.io/enforce-mountable-secrets (deprecated) {#enforce-mountable-secrets}
 
 Type: Annotation
 
@@ -812,6 +812,10 @@ Example: `kubernetes.io/enforce-mountable-secrets: "true"`
 
 Used on: ServiceAccount
 
+{{< note >}}
+`kubernetes.io/enforce-mountable-secrets` is deprecated since Kubernetes v1.32. Use separate namespaces to isolate access to mounted secrets.
+{{< /note >}}
+
 The value for this annotation must be **true** to take effect.
 When you set this annotation  to "true", Kubernetes enforces the following rules for
 Pods running as this ServiceAccount: