install and configure unattended upgrades
This commit is contained in:
parent
8788c4d80b
commit
806d9e946c
16
_apps/kube-system.yaml
Normal file
16
_apps/kube-system.yaml
Normal file
|
@ -0,0 +1,16 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kube-system
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: kube-system
|
||||
server: https://kubernetes.default.svc
|
||||
project: system
|
||||
source:
|
||||
path: kube-system
|
||||
repoURL: https://git.tbrnt.ch/tobru/gitops-zurrli.git
|
||||
targetRevision: HEAD
|
214
kube-system/unattended-upgrades.yaml
Normal file
214
kube-system/unattended-upgrades.yaml
Normal file
|
@ -0,0 +1,214 @@
|
|||
# Source: https://github.com/kubermatic/kubeone/blob/master/addons/unattended-upgrades/
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: unattended-upgrades-install
|
||||
namespace: kube-system
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
name: unattended-upgrades-install
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
name: unattended-upgrades-install
|
||||
spec:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: v1.machine-controller.kubermatic.io/operating-system
|
||||
operator: In
|
||||
values:
|
||||
- ubuntu
|
||||
- matchExpressions:
|
||||
- key: v1.kubeone.io/operating-system
|
||||
operator: In
|
||||
values:
|
||||
- ubuntu
|
||||
- debian
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: "unattended-upgrades-install"
|
||||
image: "alpine:3.12.4"
|
||||
securityContext:
|
||||
privileged: true
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
set -xeuo pipefail
|
||||
apk add --no-cache bash util-linux
|
||||
nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}"
|
||||
sleep inf
|
||||
env:
|
||||
- name: STARTUP_SCRIPT
|
||||
value: |
|
||||
set -xeuo pipefail
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get install -y --no-install-recommends \
|
||||
apt-utils \
|
||||
unattended-upgrades
|
||||
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
|
||||
dpkg-reconfigure -f noninteractive unattended-upgrades
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kured
|
||||
rules:
|
||||
# Allow kured to read spec.unschedulable
|
||||
# Allow kubectl to drain/uncordon
|
||||
#
|
||||
# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below
|
||||
# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
|
||||
#
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["list","delete","get"]
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["daemonsets"]
|
||||
verbs: ["get"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods/eviction"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kured
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kured
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kured
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
namespace: kube-system
|
||||
name: kured
|
||||
rules:
|
||||
# Allow kured to lock/unlock itself
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["daemonsets"]
|
||||
resourceNames: ["kured"]
|
||||
verbs: ["update"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
namespace: kube-system
|
||||
name: kured
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kube-system
|
||||
name: kured
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: kured
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kured
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: kured # Must match `--ds-name`
|
||||
namespace: kube-system # Must match `--ds-namespace`
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
name: kured
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
name: kured
|
||||
spec:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: v1.machine-controller.kubermatic.io/operating-system
|
||||
operator: In
|
||||
values:
|
||||
- amzn
|
||||
- centos
|
||||
- rhel
|
||||
- rockylinux
|
||||
- ubuntu
|
||||
- matchExpressions:
|
||||
- key: v1.kubeone.io/operating-system
|
||||
operator: In
|
||||
values:
|
||||
- amzn
|
||||
- centos
|
||||
- debian
|
||||
- rhel
|
||||
- rockylinux
|
||||
- ubuntu
|
||||
serviceAccountName: kured
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
hostPID: true # Facilitate entering the host mount namespace via init
|
||||
containers:
|
||||
- name: kured
|
||||
image: docker.io/weaveworks/kured:1.6.1
|
||||
# If you find yourself here wondering why there is no
|
||||
# :latest tag on Docker Hub,see the FAQ in the README
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
privileged: true # Give permission to nsenter /proc/1/ns/mnt
|
||||
env:
|
||||
# Pass in the name of the node on which this pod is scheduled
|
||||
# for use with drain/uncordon operations and lock acquisition
|
||||
- name: KURED_NODE_ID
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
command:
|
||||
- /usr/bin/kured
|
||||
# - --alert-filter-regexp=^RebootRequired$
|
||||
# - --blocking-pod-selector=runtime=long,cost=expensive
|
||||
# - --blocking-pod-selector=name=temperamental
|
||||
# - --blocking-pod-selector=...
|
||||
# - --ds-name=kured
|
||||
# - --ds-namespace=kube-system
|
||||
# - --end-time=23:59:59
|
||||
# - --lock-annotation=weave.works/kured-node-lock
|
||||
# - --period=1h
|
||||
# - --prometheus-url=http://prometheus.monitoring.svc.cluster.local
|
||||
# - --reboot-days=sun,mon,tue,wed,thu,fri,sat
|
||||
# - --reboot-sentinel=/var/run/reboot-required
|
||||
# - --slack-hook-url=https://hooks.slack.com/...
|
||||
# - --slack-username=prod
|
||||
# - --slack-channel=alerting
|
||||
# - --message-template-drain=Draining node %s
|
||||
# - --message-template-drain=Rebooting node %s
|
||||
# - --start-time=0:00
|
||||
# - --time-zone=UTC
|
Loading…
Reference in a new issue