Identifying Pods Affected by Secret Rotation in OpenShift
1. Introduction
In a dynamic OpenShift Container Platform (OCP) environment, managing the lifecycle of TLS certificates is a critical operational task. When a certificate, stored in either a Secret or a ConfigMap, is rotated or updated, it is essential to identify all workloads (Pods) that consume it. Pods that mount these resources as volumes or use them in environment variables often need to be restarted to pick up the new content.
Customers frequently require a comprehensive list of all pods that will be affected by a certificate rotation to plan for potential service interruptions and ensure a smooth transition. This document outlines a non-disruptive method and provides a script to generate this list by analyzing pod specifications across the entire cluster.
2. Methodology
The core principle behind this approach is that if a pod is restarted during a certificate rotation, it’s likely because it directly consumes the certificate’s content from a Secret or ConfigMap. The OpenShift control plane or an operator might trigger this restart to force the pod to reload its configuration.
The script systematically scans the YAML definition of every running pod to identify these dependencies. It automates this process by checking for references to Secrets and ConfigMaps in several key areas of a pod’s specification, including both standard and init containers:
spec.volumes: Pods mounting a Secret or ConfigMap as a data volume.spec.containers[*].envFrom: Pods sourcing all key-value pairs from a Secret or ConfigMap as environment variables.spec.containers[*].env: Pods sourcing specific keys from a Secret or ConfigMap as environment variables.spec.initContainers[*]: The same checks are also performed for init containers.
Instead of filtering by resource type, the script inspects the data within all Secrets and ConfigMaps. It decodes secret data and directly reads ConfigMap data to identify any content that is a valid X.509 certificate. This content-based approach ensures that any pod consuming a certificate is identified, regardless of how the resource is labeled.
3. Analysis Script
The following Bash script iterates through all relevant secrets in the cluster and, for each secret, queries for pods in the same namespace that reference it.
#!/bin/bash
# ==============================================================================
# Script Function: Iterate through all Secrets and ConfigMaps in all namespaces
# of an OpenShift cluster, decode their data, identify any
# valid X.509 certificates, and list the pods that use them.
# ==============================================================================
set -eo pipefail
# Get a list of all non-core system namespaces (customize the scope as needed).
# To get all namespaces: oc get ns -o jsonpath='{.items[*].metadata.name}'
NAMESPACES=$(oc get ns -o jsonpath='{.items[*].metadata.name}' | xargs -n1)
echo "Starting scan for the following namespaces: "
echo "$NAMESPACES"
echo "======================================================================================================================================================"
printf "%-30s %-40s %-15s %-25s %-10s %s\n" "NAMESPACE" "RESOURCE_NAME" "RESOURCE_TYPE" "DATA_KEY" "IS_CERT?" "AFFECTED_PODS"
echo "======================================================================================================================================================"
# Iterate through each namespace
for ns in $NAMESPACES; do
# Get all pods in the current namespace once to avoid multiple calls
PODS_JSON=$(oc get pods -n "$ns" -o json)
# --- Process Secrets ---
SECRETS_JSON=$(oc get secret -n "$ns" -o json)
echo "$SECRETS_JSON" | jq -c '.items[] | {name: .metadata.name, type: .type, data: .data}' | while read -r secret_line; do
SECRET_NAME=$(echo "$secret_line" | jq -r '.name')
SECRET_TYPE=$(echo "$secret_line" | jq -r '.type')
if ! echo "$secret_line" | jq -e '.data' > /dev/null; then
continue
fi
echo "$secret_line" | jq -r '.data | keys[]' | while read -r key; do
DECODED_DATA=$(echo "$secret_line" | jq -r --arg k "$key" '.data[$k]' | base64 -d 2>/dev/null)
IS_CERT="No"
if [[ "$DECODED_DATA" == *"-----BEGIN CERTIFICATE-----"* ]]; then
if echo "$DECODED_DATA" | openssl x509 -noout -text > /dev/null 2>&1; then
IS_CERT="Yes"
fi
fi
if [ "$IS_CERT" == "Yes" ]; then
# Find pods affected by this secret
AFFECTED_PODS=$(echo "$PODS_JSON" | jq -r --arg secret_name "$SECRET_NAME" '
.items[] |
select(
(.spec.volumes[]?.secret.secretName == $secret_name) or
(.spec.containers[]?.env[]?.valueFrom.secretKeyRef.name == $secret_name) or
(.spec.containers[]?.envFrom[]?.secretRef.name == $secret_name) or
(.spec.initContainers[]?.env[]?.valueFrom.secretKeyRef.name == $secret_name) or
(.spec.initContainers[]?.envFrom[]?.secretRef.name == $secret_name)
) | .metadata.name' | tr '\n' ',' | sed 's/,$//')
if [ -n "$AFFECTED_PODS" ]; then
printf "%-30s %-40s %-15s %-25s %-10s %s\n" "$ns" "$SECRET_NAME" "Secret" "$key" "$IS_CERT" "$AFFECTED_PODS"
fi
fi
done
done
# --- Process ConfigMaps ---
CONFIGMAPS_JSON=$(oc get configmap -n "$ns" -o json)
echo "$CONFIGMAPS_JSON" | jq -c '.items[] | {name: .metadata.name, data: .data}' | while read -r cm_line; do
CM_NAME=$(echo "$cm_line" | jq -r '.name')
if ! echo "$cm_line" | jq -e '.data' > /dev/null; then
continue
fi
echo "$cm_line" | jq -r '.data | keys[]' | while read -r key; do
# ConfigMap data is not base64 encoded, but we check if it looks like a cert
DECODED_DATA=$(echo "$cm_line" | jq -r --arg k "$key" '.data[$k]')
IS_CERT="No"
if [[ "$DECODED_DATA" == *"-----BEGIN CERTIFICATE-----"* ]]; then
if echo "$DECODED_DATA" | openssl x509 -noout -text > /dev/null 2>&1; then
IS_CERT="Yes"
fi
fi
if [ "$IS_CERT" == "Yes" ]; then
# Find pods affected by this configmap
AFFECTED_PODS=$(echo "$PODS_JSON" | jq -r --arg cm_name "$CM_NAME" '
.items[] |
select(
(.spec.volumes[]?.configMap.name == $cm_name) or
(.spec.containers[]?.env[]?.valueFrom.configMapKeyRef.name == $cm_name) or
(.spec.containers[]?.envFrom[]?.configMapRef.name == $cm_name) or
(.spec.initContainers[]?.env[]?.valueFrom.configMapKeyRef.name == $cm_name) or
(.spec.initContainers[]?.envFrom[]?.configMapRef.name == $cm_name)
) | .metadata.name' | tr '\n' ',' | sed 's/,$//')
if [ -n "$AFFECTED_PODS" ]; then
printf "%-30s %-40s %-15s %-25s %-10s %s\n" "$ns" "$CM_NAME" "ConfigMap" "$key" "$IS_CERT" "$AFFECTED_PODS"
fi
fi
done
done
done
echo "======================================================================================================================================================"
echo "Scan complete."4. Execution and Expected Output
To run the analysis, save the script to a file (e.g.,
find_secret_deps.sh), make it executable
(chmod +x find_secret_deps.sh), and run it while
logged into your OpenShift cluster with sufficient
permissions.
The output will be a list of secrets, each followed by the pods that depend on it.
Example Output
Starting scan for the following namespaces:
assisted-installer
default
demo
dify
kube-node-lease
kube-public
kube-system
metax-operator
openshift
openshift-apiserver
openshift-apiserver-operator
openshift-authentication
openshift-authentication-operator
openshift-catalogd
openshift-cloud-controller-manager
openshift-cloud-controller-manager-operator
openshift-cloud-credential-operator
openshift-cloud-network-config-controller
openshift-cloud-platform-infra
openshift-cluster-csi-drivers
openshift-cluster-machine-approver
openshift-cluster-node-tuning-operator
openshift-cluster-olm-operator
openshift-cluster-samples-operator
openshift-cluster-storage-operator
openshift-cluster-version
openshift-cnv
openshift-config
openshift-config-managed
openshift-config-operator
openshift-console
openshift-console-operator
openshift-console-user-settings
openshift-controller-manager
openshift-controller-manager-operator
openshift-dns
openshift-dns-operator
openshift-etcd
openshift-etcd-operator
openshift-host-network
openshift-image-registry
openshift-infra
openshift-ingress
openshift-ingress-canary
openshift-ingress-operator
openshift-insights
openshift-kni-infra
openshift-kube-apiserver
openshift-kube-apiserver-operator
openshift-kube-controller-manager
openshift-kube-controller-manager-operator
openshift-kube-scheduler
openshift-kube-scheduler-operator
openshift-kube-storage-version-migrator
openshift-kube-storage-version-migrator-operator
openshift-machine-api
openshift-machine-config-operator
openshift-marketplace
openshift-monitoring
openshift-multus
openshift-network-console
openshift-network-diagnostics
openshift-network-node-identity
openshift-network-operator
openshift-nfd
openshift-node
openshift-nutanix-infra
openshift-oauth-apiserver
openshift-openstack-infra
openshift-operator-controller
openshift-operator-lifecycle-manager
openshift-operators
openshift-ovirt-infra
openshift-ovn-kubernetes
openshift-route-controller-manager
openshift-service-ca
openshift-service-ca-operator
openshift-user-workload-monitoring
openshift-virtualization-os-images
openshift-vsphere-infra
======================================================================================================================================================
NAMESPACE RESOURCE_NAME RESOURCE_TYPE DATA_KEY IS_CERT? AFFECTED_PODS
======================================================================================================================================================
openshift-apiserver etcd-client Secret tls.crt Yes apiserver-5f5968b499-2frcn,apiserver-5f5968b499-4ww9m,apiserver-5f5968b499-qjjs7
openshift-apiserver serving-cert Secret tls.crt Yes apiserver-5f5968b499-2frcn,apiserver-5f5968b499-4ww9m,apiserver-5f5968b499-qjjs7
openshift-apiserver etcd-serving-ca ConfigMap ca-bundle.crt Yes apiserver-5f5968b499-2frcn,apiserver-5f5968b499-4ww9m,apiserver-5f5968b499-qjjs7
openshift-apiserver-operator openshift-apiserver-operator-serving-cert Secret tls.crt Yes openshift-apiserver-operator-6f99444864-rrzww
openshift-authentication v4-0-config-system-router-certs Secret apps.demo-01-rhsys.wzhlab.top Yes oauth-openshift-74b4546d9-57c6j,oauth-openshift-74b4546d9-bbbzt,oauth-openshift-74b4546d9-vmmvw
openshift-authentication v4-0-config-system-serving-cert Secret tls.crt Yes oauth-openshift-74b4546d9-57c6j,oauth-openshift-74b4546d9-bbbzt,oauth-openshift-74b4546d9-vmmvw
openshift-authentication v4-0-config-system-service-ca ConfigMap service-ca.crt Yes oauth-openshift-74b4546d9-57c6j,oauth-openshift-74b4546d9-bbbzt,oauth-openshift-74b4546d9-vmmvw
openshift-authentication-operator serving-cert Secret tls.crt Yes authentication-operator-5f67845449-722js
openshift-authentication-operator service-ca-bundle ConfigMap service-ca.crt Yes authentication-operator-5f67845449-722js
openshift-catalogd catalogserver-cert Secret tls.crt Yes catalogd-controller-manager-777b5d5796-f8w6w
openshift-cloud-controller-manager-operator cloud-controller-manager-operator-tls Secret tls.crt Yes cluster-cloud-controller-manager-operator-6dbbd6fc8b-dmff2
openshift-cloud-credential-operator cloud-credential-operator-serving-cert Secret tls.crt Yes cloud-credential-operator-78584df48f-hqq9b
openshift-cluster-machine-approver machine-approver-tls Secret tls.crt Yes machine-approver-97fd59f96-pxmbh
openshift-cluster-node-tuning-operator node-tuning-operator-tls Secret tls.crt Yes cluster-node-tuning-operator-74689f6547-wvvn6
openshift-cluster-node-tuning-operator performance-addon-operator-webhook-cert Secret tls.crt Yes cluster-node-tuning-operator-74689f6547-wvvn6
openshift-cluster-olm-operator cluster-olm-operator-serving-cert Secret tls.crt Yes cluster-olm-operator-8485c9f87b-792sz
openshift-cluster-samples-operator samples-operator-tls Secret tls.crt Yes cluster-samples-operator-ccfc984f6-gsln6
openshift-cluster-storage-operator cluster-storage-operator-serving-cert Secret tls.crt Yes cluster-storage-operator-59979b9688-sh5d4
openshift-cluster-version cluster-version-operator-serving-cert Secret tls.crt Yes cluster-version-operator-6654b8544d-5hv2n
openshift-cluster-version openshift-service-ca.crt ConfigMap service-ca.crt Yes cluster-version-operator-6654b8544d-5hv2n
openshift-cnv cdi-apiserver-server-cert Secret tls.crt Yes cdi-apiserver-756887b9d-jhm4l
openshift-cnv cdi-uploadproxy-server-cert Secret tls.crt Yes cdi-uploadproxy-7885c5bd67-8kswm
openshift-cnv cdi-uploadserver-client-cert Secret tls.crt Yes cdi-uploadproxy-7885c5bd67-8kswm
openshift-cnv cdi-uploadserver-client-signer Secret tls.crt Yes cdi-deployment-6786bb7f8d-jvm8h
openshift-cnv cdi-uploadserver-signer Secret tls.crt Yes cdi-deployment-6786bb7f8d-jvm8h
openshift-cnv console-proxy-serving-cert Secret tls.crt Yes kubevirt-apiserver-proxy-8445d89cc-hdkrr,kubevirt-apiserver-proxy-8445d89cc-rjs5r
openshift-cnv hco-webhook-service-cert Secret olmCAKey Yes hco-webhook-599f5b494f-v26ln,hco-webhook-599f5b494f-v26ln
openshift-cnv hco-webhook-service-cert Secret tls.crt Yes hco-webhook-599f5b494f-v26ln,hco-webhook-599f5b494f-v26ln
openshift-cnv hostpath-provisioner-operator-service-cert Secret olmCAKey Yes hostpath-provisioner-operator-75657f77d7-zzdwp,hostpath-provisioner-operator-75657f77d7-zzdwp
openshift-cnv hostpath-provisioner-operator-service-cert Secret tls.crt Yes hostpath-provisioner-operator-75657f77d7-zzdwp,hostpath-provisioner-operator-75657f77d7-zzdwp
openshift-cnv kubemacpool-service Secret tls.crt Yes kubemacpool-mac-controller-manager-5f66f9f8fd-xs5v2
openshift-cnv kubevirt-controller-certs Secret tls.crt Yes virt-controller-546cb8f97f-5ttx9,virt-controller-546cb8f97f-s65cv
openshift-cnv kubevirt-export-ca Secret tls.crt Yes virt-controller-546cb8f97f-5ttx9,virt-controller-546cb8f97f-s65cv
openshift-cnv kubevirt-exportproxy-certs Secret tls.crt Yes virt-exportproxy-c6555db98-jn7mx,virt-exportproxy-c6555db98-ppt6x
openshift-cnv kubevirt-ipam-controller-webhook-service Secret tls.crt Yes kubevirt-ipam-controller-manager-75757f4497-njrtz
openshift-cnv kubevirt-operator-certs Secret tls.crt Yes virt-operator-995c596c8-pvnb9,virt-operator-995c596c8-x7s7k
openshift-cnv kubevirt-virt-api-certs Secret tls.crt Yes virt-api-6c94b5895b-hd824,virt-api-6c94b5895b-lthfp
openshift-cnv kubevirt-virt-handler-certs Secret tls.crt Yes virt-api-6c94b5895b-hd824,virt-api-6c94b5895b-lthfp,virt-handler-hlqlv,virt-handler-v5nq7
openshift-cnv kubevirt-virt-handler-server-certs Secret tls.crt Yes virt-handler-hlqlv,virt-handler-v5nq7
openshift-cnv plugin-serving-cert Secret tls.crt Yes kubevirt-console-plugin-7c57dfd9bb-bnclt,kubevirt-console-plugin-7c57dfd9bb-ltjhf
openshift-cnv ssp-operator-service-cert Secret olmCAKey Yes ssp-operator-58d75bfd68-966pw,ssp-operator-58d75bfd68-966pw
openshift-cnv ssp-operator-service-cert Secret tls.crt Yes ssp-operator-58d75bfd68-966pw,ssp-operator-58d75bfd68-966pw
openshift-cnv virt-template-validator-certs Secret tls.crt Yes virt-template-validator-8469bf6d5-4f27j,virt-template-validator-8469bf6d5-bpwpk
openshift-cnv cdi-apiserver-signer-bundle ConfigMap ca-bundle.crt Yes cdi-apiserver-756887b9d-jhm4l
openshift-cnv cdi-uploadserver-client-signer-bundle ConfigMap ca-bundle.crt Yes cdi-deployment-6786bb7f8d-jvm8h
openshift-cnv cdi-uploadserver-signer-bundle ConfigMap ca-bundle.crt Yes cdi-deployment-6786bb7f8d-jvm8h
openshift-config-operator config-operator-serving-cert Secret tls.crt Yes openshift-config-operator-84cbc8b945-749jq
openshift-console console-serving-cert Secret tls.crt Yes console-79bcfb47dc-sfqzd,console-79bcfb47dc-x74h2
openshift-console oauth-serving-cert ConfigMap ca-bundle.crt Yes console-79bcfb47dc-sfqzd,console-79bcfb47dc-x74h2
openshift-console service-ca ConfigMap service-ca.crt Yes console-79bcfb47dc-sfqzd,console-79bcfb47dc-x74h2
openshift-console-operator serving-cert Secret tls.crt Yes console-operator-5b49775cb-dt5x2
openshift-controller-manager serving-cert Secret tls.crt Yes controller-manager-57799df4b6-4t7ph,controller-manager-57799df4b6-nrthw,controller-manager-57799df4b6-rvsfp
openshift-controller-manager client-ca ConfigMap ca-bundle.crt Yes controller-manager-57799df4b6-4t7ph,controller-manager-57799df4b6-nrthw,controller-manager-57799df4b6-rvsfp
openshift-controller-manager-operator openshift-controller-manager-operator-serving-cert Secret tls.crt Yes openshift-controller-manager-operator-6676dc9d9d-jtdns
openshift-dns dns-default-metrics-tls Secret tls.crt Yes dns-default-9wx5h,dns-default-f9d6b,dns-default-hxxnj,dns-default-ml9kj,dns-default-qhqh6
openshift-dns-operator metrics-tls Secret tls.crt Yes dns-operator-79bdb84866-75zwq
openshift-etcd-operator etcd-client Secret tls.crt Yes etcd-operator-5964bd444b-rhdbb
openshift-etcd-operator etcd-operator-serving-cert Secret tls.crt Yes etcd-operator-5964bd444b-rhdbb
openshift-etcd-operator etcd-ca-bundle ConfigMap ca-bundle.crt Yes etcd-operator-5964bd444b-rhdbb
openshift-etcd-operator etcd-service-ca-bundle ConfigMap service-ca.crt Yes etcd-operator-5964bd444b-rhdbb
openshift-image-registry image-registry-operator-tls Secret tls.crt Yes cluster-image-registry-operator-655f745975-hh256
openshift-image-registry serviceca ConfigMap service-ca.crt Yes image-pruner-29341440-shxgb
openshift-ingress router-certs-default Secret tls.crt Yes router-default-ccd7f76dc-4vbzb,router-default-ccd7f76dc-xk89b
openshift-ingress router-metrics-certs-default Secret tls.crt Yes router-default-ccd7f76dc-4vbzb,router-default-ccd7f76dc-xk89b
openshift-ingress service-ca-bundle ConfigMap service-ca.crt Yes router-default-ccd7f76dc-4vbzb,router-default-ccd7f76dc-xk89b
openshift-ingress-canary canary-serving-cert Secret tls.crt Yes ingress-canary-p7wfb,ingress-canary-vjk22
openshift-ingress-operator metrics-tls Secret tls.crt Yes ingress-operator-5b6cfcb4db-ll9cz
openshift-insights openshift-insights-serving-cert Secret tls.crt Yes insights-operator-6d59cd74d-k65fp
openshift-insights service-ca-bundle ConfigMap service-ca.crt Yes insights-operator-6d59cd74d-k65fp
openshift-kube-apiserver-operator kube-apiserver-operator-serving-cert Secret tls.crt Yes kube-apiserver-operator-5c85dd6dc4-rt57n
openshift-kube-controller-manager-operator kube-controller-manager-operator-serving-cert Secret tls.crt Yes kube-controller-manager-operator-74669f959b-hw5bt
openshift-kube-scheduler-operator kube-scheduler-operator-serving-cert Secret tls.crt Yes openshift-kube-scheduler-operator-c4fb798c8-xlbl9
openshift-kube-storage-version-migrator-operator serving-cert Secret tls.crt Yes kube-storage-version-migrator-operator-59dddb5bb9-8h8x2
openshift-machine-api baremetal-operator-webhook-server-cert Secret tls.crt Yes metal3-baremetal-operator-6c9f48fbfd-jdx9s,metal3-cf57bd6cc-pbgdj
openshift-machine-api cluster-autoscaler-operator-cert Secret tls.crt Yes cluster-autoscaler-operator-ccd65997c-mkgrl
openshift-machine-api cluster-baremetal-operator-tls Secret tls.crt Yes cluster-baremetal-operator-75b88bb6f5-fllcz
openshift-machine-api cluster-baremetal-webhook-server-cert Secret tls.crt Yes cluster-baremetal-operator-75b88bb6f5-fllcz
openshift-machine-api control-plane-machine-set-operator-tls Secret tls.crt Yes control-plane-machine-set-operator-58857684fd-sclvm
openshift-machine-api machine-api-controllers-tls Secret tls.crt Yes machine-api-controllers-79859b4c5b-9mwhc
openshift-machine-api machine-api-operator-machine-webhook-cert Secret tls.crt Yes machine-api-controllers-79859b4c5b-9mwhc
openshift-machine-api machine-api-operator-tls Secret tls.crt Yes machine-api-operator-6cd8d89f85-2wx2d
openshift-machine-api machine-api-operator-webhook-cert Secret tls.crt Yes machine-api-controllers-79859b4c5b-9mwhc
openshift-machine-api metal3-ironic-tls Secret tls.crt Yes ironic-proxy-hnpkh,ironic-proxy-sfrck,ironic-proxy-sgmtv,metal3-baremetal-operator-6c9f48fbfd-jdx9s,metal3-cf57bd6cc-pbgdj,metal3-cf57bd6cc-pbgdj
openshift-machine-config-operator machine-config-server-tls Secret tls.crt Yes machine-config-server-95h7m,machine-config-server-kg497,machine-config-server-nktls
openshift-machine-config-operator mcc-proxy-tls Secret tls.crt Yes machine-config-controller-74c587c5b7-n4gp6
openshift-machine-config-operator mco-proxy-tls Secret tls.crt Yes machine-config-operator-7c7c9fd5d5-r6hh4
openshift-machine-config-operator node-bootstrapper-token Secret ca.crt Yes machine-config-server-95h7m,machine-config-server-kg497,machine-config-server-nktls
openshift-machine-config-operator node-bootstrapper-token Secret service-ca.crt Yes machine-config-server-95h7m,machine-config-server-kg497,machine-config-server-nktls
openshift-machine-config-operator proxy-tls Secret tls.crt Yes machine-config-daemon-c5xsg,machine-config-daemon-c8vb4,machine-config-daemon-dwjfs,machine-config-daemon-pzdmv,machine-config-daemon-wn445
openshift-marketplace marketplace-operator-metrics Secret tls.crt Yes marketplace-operator-8f9b9fb7d-zwm85
openshift-monitoring alertmanager-main-tls Secret tls.crt Yes alertmanager-main-0,alertmanager-main-1
openshift-monitoring cluster-monitoring-operator-tls Secret tls.crt Yes cluster-monitoring-operator-65994857cb-c7lzr
openshift-monitoring federate-client-certs Secret tls.crt Yes telemeter-client-649877dcbf-56qwb
openshift-monitoring kube-state-metrics-tls Secret tls.crt Yes kube-state-metrics-6df76c88bc-qtg9h
openshift-monitoring metrics-client-certs Secret tls.crt Yes metrics-server-cc6c4bf86-t8n7l,metrics-server-cc6c4bf86-tz6mv,prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring metrics-server-27h06ve19b34m Secret client-ca-file Yes metrics-server-cc6c4bf86-t8n7l,metrics-server-cc6c4bf86-tz6mv
openshift-monitoring metrics-server-27h06ve19b34m Secret requestheader-client-ca-file Yes metrics-server-cc6c4bf86-t8n7l,metrics-server-cc6c4bf86-tz6mv
openshift-monitoring metrics-server-27h06ve19b34m Secret tls.crt Yes metrics-server-cc6c4bf86-t8n7l,metrics-server-cc6c4bf86-tz6mv
openshift-monitoring metrics-server-tls Secret tls.crt Yes metrics-server-cc6c4bf86-t8n7l,metrics-server-cc6c4bf86-tz6mv
openshift-monitoring monitoring-plugin-cert Secret tls.crt Yes monitoring-plugin-56b7798bcd-dgggj,monitoring-plugin-56b7798bcd-m8hxr
openshift-monitoring node-exporter-tls Secret tls.crt Yes node-exporter-bcpkw,node-exporter-jh5tj,node-exporter-p6f6l,node-exporter-s89d5,node-exporter-vg6d4
openshift-monitoring openshift-state-metrics-tls Secret tls.crt Yes openshift-state-metrics-8ddcc6b87-2g5gs
openshift-monitoring prometheus-k8s-grpc-tls-ai1pjcpq5svdd Secret ca.crt Yes prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring prometheus-k8s-grpc-tls-ai1pjcpq5svdd Secret server.crt Yes prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring prometheus-k8s-thanos-sidecar-tls Secret tls.crt Yes prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring prometheus-k8s-tls Secret tls.crt Yes prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring prometheus-operator-admission-webhook-tls Secret tls.crt Yes prometheus-operator-admission-webhook-9689fcf8d-qvp6s,prometheus-operator-admission-webhook-9689fcf8d-xwfhh
openshift-monitoring prometheus-operator-tls Secret tls.crt Yes prometheus-operator-5498867974-wh8cq
openshift-monitoring telemeter-client-tls Secret tls.crt Yes telemeter-client-649877dcbf-56qwb
openshift-monitoring thanos-querier-grpc-tls-2lj4ol37s9vin Secret ca.crt Yes thanos-querier-cdc655-999fw,thanos-querier-cdc655-x2lrd
openshift-monitoring thanos-querier-grpc-tls-2lj4ol37s9vin Secret client.crt Yes thanos-querier-cdc655-999fw,thanos-querier-cdc655-x2lrd
openshift-monitoring thanos-querier-tls Secret tls.crt Yes thanos-querier-cdc655-999fw,thanos-querier-cdc655-x2lrd
openshift-monitoring kubelet-serving-ca-bundle ConfigMap ca-bundle.crt Yes metrics-server-cc6c4bf86-t8n7l,metrics-server-cc6c4bf86-tz6mv,prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring metrics-client-ca ConfigMap client-ca.crt Yes alertmanager-main-0,alertmanager-main-1,kube-state-metrics-6df76c88bc-qtg9h,node-exporter-bcpkw,node-exporter-jh5tj,node-exporter-p6f6l,node-exporter-s89d5,node-exporter-vg6d4,openshift-state-metrics-8ddcc6b87-2g5gs,prometheus-k8s-0,prometheus-k8s-1,prometheus-operator-5498867974-wh8cq,telemeter-client-649877dcbf-56qwb,thanos-querier-cdc655-999fw,thanos-querier-cdc655-x2lrd
openshift-monitoring serving-certs-ca-bundle ConfigMap service-ca.crt Yes prometheus-k8s-0,prometheus-k8s-1
openshift-monitoring telemeter-client-serving-certs-ca-bundle ConfigMap service-ca.crt Yes telemeter-client-649877dcbf-56qwb
openshift-multus metrics-daemon-secret Secret tls.crt Yes network-metrics-daemon-4d5xc,network-metrics-daemon-6vq85,network-metrics-daemon-ncgh4,network-metrics-daemon-qkkcr,network-metrics-daemon-tskrx
openshift-multus multus-admission-controller-secret Secret tls.crt Yes multus-admission-controller-6694ff8986-7j74t,multus-admission-controller-6694ff8986-jkdfs
openshift-network-console networking-console-plugin-cert Secret tls.crt Yes networking-console-plugin-6657c799c8-7fpb7,networking-console-plugin-6657c799c8-zc45g
openshift-network-node-identity network-node-identity-cert Secret tls.crt Yes network-node-identity-4d67q,network-node-identity-lncd9,network-node-identity-wbvvt
openshift-network-operator metrics-tls Secret tls.crt Yes network-operator-799856644c-prvht
openshift-oauth-apiserver etcd-client Secret tls.crt Yes apiserver-ddcdcd6bd-4s575,apiserver-ddcdcd6bd-9fd2w,apiserver-ddcdcd6bd-9qc45
openshift-oauth-apiserver serving-cert Secret tls.crt Yes apiserver-ddcdcd6bd-4s575,apiserver-ddcdcd6bd-9fd2w,apiserver-ddcdcd6bd-9qc45
openshift-oauth-apiserver etcd-serving-ca ConfigMap ca-bundle.crt Yes apiserver-ddcdcd6bd-4s575,apiserver-ddcdcd6bd-9fd2w,apiserver-ddcdcd6bd-9qc45
openshift-operator-lifecycle-manager catalog-operator-serving-cert Secret tls.crt Yes catalog-operator-75b8957c45-2pf48
openshift-operator-lifecycle-manager olm-operator-serving-cert Secret tls.crt Yes olm-operator-5b7f78c6b6-shm82
openshift-operator-lifecycle-manager package-server-manager-serving-cert Secret tls.crt Yes package-server-manager-754bf578b7-8mkz4
openshift-operator-lifecycle-manager packageserver-service-cert Secret olmCAKey Yes packageserver-64878d4dd5-465xp,packageserver-64878d4dd5-465xp,packageserver-64878d4dd5-sd9qv,packageserver-64878d4dd5-sd9qv
openshift-operator-lifecycle-manager packageserver-service-cert Secret tls.crt Yes packageserver-64878d4dd5-465xp,packageserver-64878d4dd5-465xp,packageserver-64878d4dd5-sd9qv,packageserver-64878d4dd5-sd9qv
openshift-operator-lifecycle-manager pprof-cert Secret tls.crt Yes catalog-operator-75b8957c45-2pf48,collect-profiles-29342025-qgc2r,collect-profiles-29342040-fhkd8,collect-profiles-29342055-sfxjb,olm-operator-5b7f78c6b6-shm82
openshift-ovn-kubernetes ovn-control-plane-metrics-cert Secret tls.crt Yes ovnkube-control-plane-8944998dd-75q5l,ovnkube-control-plane-8944998dd-gfw6k
openshift-ovn-kubernetes ovn-node-metrics-cert Secret tls.crt Yes ovnkube-node-7fbbw,ovnkube-node-cs8vj,ovnkube-node-nb2kg,ovnkube-node-w4lzz,ovnkube-node-zhfd9
openshift-route-controller-manager serving-cert Secret tls.crt Yes route-controller-manager-5cf9c49b58-5g6sr,route-controller-manager-5cf9c49b58-rnnkz,route-controller-manager-5cf9c49b58-swdpx
openshift-route-controller-manager client-ca ConfigMap ca-bundle.crt Yes route-controller-manager-5cf9c49b58-5g6sr,route-controller-manager-5cf9c49b58-rnnkz,route-controller-manager-5cf9c49b58-swdpx
openshift-service-ca signing-key Secret tls.crt Yes service-ca-9fb465979-jchfr
openshift-service-ca signing-cabundle ConfigMap ca-bundle.crt Yes service-ca-9fb465979-jchfr
openshift-service-ca-operator serving-cert Secret tls.crt Yes service-ca-operator-647d5866b5-nkzp5
======================================================================================================================================================
Scan complete.