SaltStack jobs intended for specific targets based on grains are broad-casting to all connected minions. This behavior bypasses targeting filters, leading to unintended job execution across the entire fleet.

Aria Automation Config 8.17.x

The issue occurs because Salt CLI relies on cached minion data stored on the master under /var/cache/salt/master/minions/ to evaluate grain-based targeting (-G).

If a minion’s cache directory is missing (for example, deleted manually) but its key is still accepted on the master, the system cannot validate its grain data. As a result, the targeting logic may incorrectly include such minions as matches, even if they do not actually have the specified grain values.

This behavior is most noticeable with offline minions, where no fresh grain data is available, leading to unintended targeting until the cache directory is recreated or refreshed.

A permanent fix for this issue has been identified and will be included in an upcoming Salt 3006.x release.

Workaround

Until the updated release is available, administrators should ensure that proper minion cache data is maintained on the master to minimize the risk of incorrect targeting.