diff --git a/charts/kured/Chart.yaml b/charts/kured/Chart.yaml index c0768a8..5c04f4f 100644 --- a/charts/kured/Chart.yaml +++ b/charts/kured/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "1.14.2" description: A Helm chart for kured name: kured -version: 5.3.2 +version: 5.4.0 home: https://github.com/kubereboot/kured maintainers: - name: chopf diff --git a/charts/kured/README.md b/charts/kured/README.md index bd19ced..5a308f6 100644 --- a/charts/kured/README.md +++ b/charts/kured/README.md @@ -83,6 +83,7 @@ The following changes have been made compared to the stable chart: | `extraEnvVars` | Array of environment variables to pass to the daemonset. | `{}` | | `metricsHost` | Host to expose the metrics endpoint. | `""` | | `metricsPort` | Port to expose the metrics endpoint. | `8080` | +| `useRebootSentinelHostPath` | Controls whether the chart uses a hostPath to read the sentinel file. | `true` | | `configuration.lockTtl` | cli-parameter `--lock-ttl` | `0` | | `configuration.lockReleaseDelay` | cli-parameter `--lock-release-delay` | `0` | | `configuration.alertFilterRegexp` | cli-parameter `--alert-filter-regexp` | `""` | @@ -104,6 +105,8 @@ The following changes have been made compared to the stable chart: | `configuration.rebootSentinelCommand` | cli-parameter `--reboot-sentinel-command` | `""` | | `configuration.rebootCommand` | cli-parameter `--reboot-command` | `""` | | `configuration.rebootDelay` | cli-parameter `--reboot-delay` | `""` | +| `configuration.rebootMethod` | cli-parameter `--reboot-method` | `""` | +| `configuration.rebootSignal` | cli-parameter `--reboot-signal` | `39` (SIGRTMIN+5) | | `configuration.slackChannel` | cli-parameter `--slack-channel`. Passed through `tpl` | `""` | | `configuration.slackHookUrl` | cli-parameter `--slack-hook-url`. Passed through `tpl` | `""` | | `configuration.slackUsername` | cli-parameter `--slack-username`. Passed through `tpl` | `""` | diff --git a/charts/kured/templates/daemonset.yaml b/charts/kured/templates/daemonset.yaml index 5afea9f..ad49aab 100644 --- a/charts/kured/templates/daemonset.yaml +++ b/charts/kured/templates/daemonset.yaml @@ -130,9 +130,13 @@ spec: - --post-reboot-node-labels={{ . }} {{- end }} {{- if .Values.configuration.rebootSentinel }} + {{- if .Values.useRebootSentinelHostPath }} + - --reboot-sentinel=/sentinel/{{ base .Values.configuration.rebootSentinel }} + {{ else }} - --reboot-sentinel={{ .Values.configuration.rebootSentinel }} + {{- end }} {{- end }} - {{- if .Values.configuration.rebootSentinelCommand }} + {{- if and .Values.configuration.rebootSentinelCommand (not .Values.useRebootSentinelHostPath) }} - --reboot-sentinel-command={{ .Values.configuration.rebootSentinelCommand }} {{- end }} {{- if .Values.configuration.rebootCommand }} @@ -141,6 +145,12 @@ spec: {{- if .Values.configuration.rebootDelay }} - --reboot-delay={{ .Values.configuration.rebootDelay }} {{- end }} + {{- if .Values.configuration.rebootMethod }} + - --reboot-method={{ .Values.configuration.rebootMethod }} + {{- end }} + {{- if .Values.configuration.rebootSignal }} + - --reboot-signal={{ .Values.configuration.rebootSignal }} + {{- end }} {{- if .Values.configuration.slackChannel }} - --slack-channel={{ tpl .Values.configuration.slackChannel . }} {{- end }} @@ -187,10 +197,17 @@ spec: - --{{ $key }} {{- end }} {{- end }} -{{- if .Values.volumeMounts }} + {{- if or .Values.volumeMounts .Values.useRebootSentinelHostPath }} volumeMounts: + {{- end }} + {{- if .Values.useRebootSentinelHostPath }} + - mountPath: /sentinel + name: sentinel + readOnly: true + {{- end }} + {{- if .Values.volumeMounts }} {{- toYaml .Values.volumeMounts | nindent 12 }} -{{- end }} + {{- end }} ports: - containerPort: {{ .Values.configuration.metricsPort }} name: metrics @@ -229,7 +246,15 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} -{{- if .Values.volumes }} + {{- if or .Values.volumes .Values.useRebootSentinelHostPath }} volumes: + {{- end }} + {{- if .Values.useRebootSentinelHostPath }} + - name: sentinel + hostPath: + path: {{ dir .Values.configuration.rebootSentinel }} + type: Directory + {{- end }} + {{- if .Values.volumes }} {{- toYaml .Values.volumes | nindent 8 }} -{{- end }} + {{- end }} diff --git a/charts/kured/values.yaml b/charts/kured/values.yaml index 8027ee4..da5f5cf 100644 --- a/charts/kured/values.yaml +++ b/charts/kured/values.yaml @@ -11,6 +11,8 @@ updateStrategy: RollingUpdate maxUnavailable: 1 podAnnotations: {} +# container.apparmor.security.beta.kubernetes.io/kured: unconfined + dsAnnotations: {} extraArgs: {} @@ -25,6 +27,7 @@ extraEnvVars: # value: 123 configuration: + useRebootSentinelHostPath: true # not actually a flag, indicates if the sentinel should be mounted metricsHost: "" # host where metrics will listen metricsPort: 8080 # port number where metrics will listen lockTtl: 0 # force clean annotation after this amount of time (default 0, disabled) @@ -47,6 +50,8 @@ configuration: rebootSentinelCommand: "" # command for which a successful run signals need to reboot (default ""). If non-empty, sentinel file will be ignored. rebootCommand: "/bin/systemctl reboot" # command to run when a reboot is required by the sentinel rebootDelay: "" # add a delay after drain finishes but before the reboot command is issued + rebootMethod: "" # method to use for reboots (default command), available: command, signal + rebootSignal: "" # signal to use for reboots (default 39 = SIGRTMIN+5). slackChannel: "" # slack channel for reboot notifications slackHookUrl: "" # slack hook URL for reboot notifications slackUsername: "" # slack username for reboot notifications (default "kured") @@ -80,6 +85,17 @@ containerSecurityContext: readOnlyRootFilesystem: true # allowPrivilegeEscalation: true # Needed when using defaultAllowPrivilegedEscalation: false in psp +# Use the following security-context when "configuration.rebootMethod=signal and useRebootSentinelHostPath=true" +# containerSecurityContext: +# privileged: false +# readOnlyRootFilesystem: true +# allowPrivilegeEscalation: false +# capabilities: +# add: +# - CAP_KILL +# drop: +# - '*' + resources: {} hostNetwork: false