auto-update your cluster: check your pods for outdated images, trigger rolling deployment of new pods when needed
!!! DO NOT USE IN A PRODUCTION ENVIRONMENT !!!
bad things could happen: service downtime, permanent pod restarts, hailstorms, ... You have been warned!
helm install --name auto-updater \
https://arnehilmann.github.io/k8s-auto-updater/k8s-auto-updater-0.2.0.tgz \
--set podSelector=
# cross fingers
in your cluster
k8s-auto-updater runs as a cronjob inside your kubernetes-cluster.
with the authority
k8s-auto-updater uses skopeo and kubectl, and
has the following permissions:
| resource | verb |
|---|---|
| pods | list, get |
| secrets | get |
| replicasets | get |
| deployments | get, patch |
gathering image names and its digests
k8s-auto-updater fetches all pods and corresponding image names:
- image name must match
imageRegExp(default:.*, see #Notes) - pod labels must match
podSelector(default:auto-update=enabled, see #Notes).
rolling update of deployments
Then k8s-auto-updater iterates over selected pods, checking if the image id the pod was started on equals
the image id referenced by the image name. If the image id of the pod differs, the
owning replicaset and deployment get identified and then the deployment env gets patched, resulting
in a new replicaset and thus newly started pods.
A more permanent setup would be to add this repo to your helm installation and
install k8s-auto-updater from there (see the config part for customization):
helm repo add k8s-a-u-chart https://arnehilmann.github.io/k8s-auto-updater/
helm install --name auto-updater k8s-a-u-chart/k8s-auto-updater
The following parameters could be set via --set:
| parameter | default | description |
|---|---|---|
| schedule | */10 * * * * | when to run k8s-auto-updater, uses cron syntax |
| suspend | false | should k8s-auto-updater run on startup or stay in suspend mode |
| activeDeadlineSeconds | 300 | hard timeout for the job |
| podSelector | auto-update=enabled | select pods based on labels; supports '=', '!=' |
| imageRegExp | .* | regular expression for matching docker images |
| verbose | false | produce more detailed log output |
example:
helm install --name auto-updater \
k8s-a-u-chart/k8s-auto-updater \
--set schedule="*/2 * * * *" \ # run every two minutes
--set podSelector= # select _all_ pods in current namespace
- Clearing the
podSelectorvariable might be a bad idea (i.e. all pods, including system pods and auto-updater itself, get selected)! - You can narrow the searched repositories by setting
imageRegExp; you can use multiple patterns with thepattern1|pattern2notation; e.g.... --set imageRegExp='arne/d.*|gitlab.*'. - when referencing images on
docker.io, the host part of the image name is empty (e.g.arne/k8s-auto-updaterinstead ofdocker.io/arne/k8s-auto-updater). - when referencing official images on
docker.io, the host and repo parts are empty (e.g.mysqlinstead ofdocker.io/library/mysql).
helm delete auto-updater
find the current chart index at https://arnehilmann.github.io/k8s-auto-updater/index.yaml
find the docker image at https://hub.docker.com/r/arne/kubectlskopeo/
- allow selector for pods, images, registries
- specify how many pods per run may be deleted
- allow image sync for remote registries which do not need PullSecrets
- provide endpoint for triggering manually (still in scope?)
- only delete pod when image pull enabled (imageTag eq latest or imagePullPolicy Always)