Skip to content

Latest commit

 

History

History
116 lines (81 loc) · 4.02 KB

README.md

File metadata and controls

116 lines (81 loc) · 4.02 KB

k8s-auto-updater

auto-update your cluster: check your pods for outdated images, trigger rolling deployment of new pods when needed

!!! DO NOT USE IN A PRODUCTION ENVIRONMENT !!!

bad things could happen: service downtime, permanent pod restarts, hailstorms, ... You have been warned!

tl;dr

helm install --name auto-updater \
    https://arnehilmann.github.io/k8s-auto-updater/k8s-auto-updater-0.2.0.tgz \
    --set podSelector=
# cross fingers

description

in your cluster k8s-auto-updater runs as a cronjob inside your kubernetes-cluster.

with the authority k8s-auto-updater uses skopeo and kubectl, and has the following permissions:

resource verb
pods list, get
secrets get
replicasets get
deployments get, patch

gathering image names and its digests k8s-auto-updater fetches all pods and corresponding image names:

  1. image name must match imageRegExp (default: .*, see #Notes)
  2. pod labels must match podSelector (default: auto-update=enabled, see #Notes).

rolling update of deployments Then k8s-auto-updater iterates over selected pods, checking if the image id the pod was started on equals the image id referenced by the image name. If the image id of the pod differs, the owning replicaset and deployment get identified and then the deployment env gets patched, resulting in a new replicaset and thus newly started pods.

setup

A more permanent setup would be to add this repo to your helm installation and install k8s-auto-updater from there (see the config part for customization):

helm repo add k8s-a-u-chart https://arnehilmann.github.io/k8s-auto-updater/
helm install --name auto-updater k8s-a-u-chart/k8s-auto-updater

config

The following parameters could be set via --set:

parameter default description
schedule */10 * * * * when to run k8s-auto-updater, uses cron syntax
suspend false should k8s-auto-updater run on startup or stay in suspend mode
activeDeadlineSeconds 300 hard timeout for the job
podSelector auto-update=enabled select pods based on labels; supports '=', '!='
imageRegExp .* regular expression for matching docker images
verbose false produce more detailed log output

example:

helm install --name auto-updater \
    k8s-a-u-chart/k8s-auto-updater \
    --set schedule="*/2 * * * *" \  # run every two minutes
    --set podSelector=  # select _all_ pods in current namespace

notes

  • Clearing the podSelector variable might be a bad idea (i.e. all pods, including system pods and auto-updater itself, get selected)!
  • You can narrow the searched repositories by setting imageRegExp; you can use multiple patterns with the pattern1|pattern2 notation; e.g. ... --set imageRegExp='arne/d.*|gitlab.*'.
  • when referencing images on docker.io, the host part of the image name is empty (e.g. arne/k8s-auto-updater instead of docker.io/arne/k8s-auto-updater).
  • when referencing official images on docker.io, the host and repo parts are empty (e.g. mysql instead of docker.io/library/mysql).

cleanup

helm delete auto-updater

quick links

find the current chart index at https://arnehilmann.github.io/k8s-auto-updater/index.yaml

find the docker image at https://hub.docker.com/r/arne/kubectlskopeo/

TODO

  • allow selector for pods, images, registries
  • specify how many pods per run may be deleted
  • allow image sync for remote registries which do not need PullSecrets
  • provide endpoint for triggering manually (still in scope?)
  • only delete pod when image pull enabled (imageTag eq latest or imagePullPolicy Always)