I have been asked by security auditors to explain the underlying process of oc delete secret What they want to establish is that the secret is not recoverable by forensics tools for example, once deleted.
Thanks in advance for any input.
There are a lot of layers you would have to peel in order to do a thorough assessment/audit. Start by looking at the calls performed by the oc CLI which underneath should be sending a request to the DELETE secret endpoint on the API Server.
Ultimately, In Kubernetes, the delete operation will come down to deleting a key from the etcd datastore as seen here. You can further dig into the etcd Go API and etcd internals in order to determine how the deletion is performed across cluster nodes on commit, and determining whether a forensics tool would be able to pry into the storage blocks on disk.
Also, ensure Pods that mount the secrets are not writing the data to disk or to logs.