How is the "may not change during container lifetime" requirement enforced?

[liggitt]

The current proposal makes this statement:

The collection of files within the directory MAY change between container launches. The collection of files within the directory SHOULD NOT change during the lifetime of the container.

Given that changes would originate with changes to the secret object, but the update in the container is managed by the kubelet (at an arbitrary delay after the secret is updated, typically within 1 minute), how would the secret writer know that no containers were currently running and it was safe to update the secret?

[scothis]

It's worth clarifying that this requirement is talking about the keys of the Secret changing, not the values of those keys.

The controller reconciling the ServiceBinding typically copies the content of the provided Secret into a new Secret that is projected into the application. This enables mapped values to be added without mutating the upstream Secret. If the fields in the upstream Secret change a new Secret can be created and projected into the application.

The requirement comes from a precursor spec that wasn't focused on Kubernetes, we can improve the language to align with k8s semantics.

[scothis]

Closing, but feel free to continue the discussion.

This is a good topic to cover as part of #101