From 6661af8a54dce4b20ca278d98e33ddb7f1d15d6a Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 14 Feb 2024 21:58:38 +0100 Subject: [PATCH] upgrade kured --- .../kube-system/unattended-upgrades.yaml | 155 +----------------- argoapps/common/kured.yaml | 23 +++ 2 files changed, 26 insertions(+), 152 deletions(-) create mode 100644 argoapps/common/kured.yaml diff --git a/apps/zurrli/_system/kube-system/unattended-upgrades.yaml b/apps/zurrli/_system/kube-system/unattended-upgrades.yaml index 1e86cb8..70d5d4f 100644 --- a/apps/zurrli/_system/kube-system/unattended-upgrades.yaml +++ b/apps/zurrli/_system/kube-system/unattended-upgrades.yaml @@ -39,7 +39,8 @@ spec: hostPID: true containers: - name: "unattended-upgrades-install" - image: "alpine:3.19.1" + image: "alpine:3" + imagePullPolicy: Always securityContext: privileged: true command: @@ -59,154 +60,4 @@ spec: apt-utils \ unattended-upgrades echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections - dpkg-reconfigure -f noninteractive unattended-upgrades ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kured -rules: - # Allow kured to read spec.unschedulable - # Allow kubectl to drain/uncordon - # - # NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below - # match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go - # - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["list", "delete", "get"] - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get"] - - apiGroups: [""] - resources: ["pods/eviction"] - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kured -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kured -subjects: - - kind: ServiceAccount - name: kured - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: kube-system - name: kured -rules: - # Allow kured to lock/unlock itself - - apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["kured"] - verbs: ["update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: kube-system - name: kured -subjects: - - kind: ServiceAccount - namespace: kube-system - name: kured -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kured ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kured - namespace: kube-system ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kured # Must match `--ds-name` - namespace: kube-system # Must match `--ds-namespace` -spec: - selector: - matchLabels: - name: kured - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - name: kured - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: v1.machine-controller.kubermatic.io/operating-system - operator: In - values: - - amzn - - centos - - rhel - - rockylinux - - ubuntu - - matchExpressions: - - key: v1.kubeone.io/operating-system - operator: In - values: - - amzn - - centos - - debian - - rhel - - rockylinux - - ubuntu - serviceAccountName: kured - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node-role.kubernetes.io/master - effect: NoSchedule - hostPID: true # Facilitate entering the host mount namespace via init - containers: - - name: kured - image: ghcr.io/kubereboot/kured:1.14.2 - imagePullPolicy: IfNotPresent - securityContext: - privileged: true # Give permission to nsenter /proc/1/ns/mnt - env: - # Pass in the name of the node on which this pod is scheduled - # for use with drain/uncordon operations and lock acquisition - - name: KURED_NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - command: - - /usr/bin/kured -# - --alert-filter-regexp=^RebootRequired$ -# - --blocking-pod-selector=runtime=long,cost=expensive -# - --blocking-pod-selector=name=temperamental -# - --blocking-pod-selector=... -# - --ds-name=kured -# - --ds-namespace=kube-system -# - --end-time=23:59:59 -# - --lock-annotation=weave.works/kured-node-lock -# - --period=1h -# - --prometheus-url=http://prometheus.monitoring.svc.cluster.local -# - --reboot-days=sun,mon,tue,wed,thu,fri,sat -# - --reboot-sentinel=/var/run/reboot-required -# - --slack-hook-url=https://hooks.slack.com/... -# - --slack-username=prod -# - --slack-channel=alerting -# - --message-template-drain=Draining node %s -# - --message-template-drain=Rebooting node %s -# - --start-time=0:00 -# - --time-zone=UTC + dpkg-reconfigure -f noninteractive unattended-upgrades \ No newline at end of file diff --git a/argoapps/common/kured.yaml b/argoapps/common/kured.yaml new file mode 100644 index 0000000..4ec6329 --- /dev/null +++ b/argoapps/common/kured.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: healthcheck + namespace: argocd +spec: + generators: + - clusters: {} + template: + metadata: + name: '{{name}}-kured' + spec: + project: system + source: + chart: kubereboot/kured + repoURL: https://kubereboot.github.io/charts + targetRevision: 5.4.2 + destination: + server: '{{server}}' + namespace: kured + syncPolicy: + syncOptions: + - CreateNamespace=true