Skip to content

Instantly share code, notes, and snippets.

@xandout

xandout/README.md

Created April 9, 2024 20:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xandout/eefb108fd1caf4c93c577c6fed948dd0 to your computer and use it in GitHub Desktop.
Save xandout/eefb108fd1caf4c93c577c6fed948dd0 to your computer and use it in GitHub Desktop.
Download ZIP
Daily host OS updates for kubernetes nodes
Raw
README.md

Kubernetes DaemonSet: Automated YUM Security Updates

This Kubernetes DaemonSet, named yum-update, is designed to perform automatic security updates using YUM on nodes within a Kubernetes cluster. It leverages a privileged container to gain necessary system access, ensuring that your nodes are regularly updated with the latest security patches. This is particularly useful for maintaining the security and stability of your Kubernetes nodes without manual intervention.

Overview

  • DaemonSet Name: yum-update
  • Container Image: alexeiled/nsenter:2.38.1
  • Purpose: To automatically apply YUM security updates on each node in a Kubernetes cluster.

Key Features

  • Automated Security Updates: Utilizes YUM to apply security updates automatically, reducing the risk of vulnerabilities.
  • Privileged Access: Runs in a privileged mode to ensure it has the necessary permissions to perform updates on the host system.
  • Continuous Operation: The update script executes indefinitely, with a sleep interval of 1 day between update checks.

Configuration Details

  • Command: Executes a bash script that continuously checks for and applies security updates using YUM.
  • Host Network and PID Namespace: Uses the host's network and PID namespace for direct access to the system.
  • Security Context: Operates in a privileged security context to allow modifications to the host system.

How It Works

  1. Initiation: The DaemonSet deploys a pod on each node of the cluster.
  2. Execution: Inside each pod, a container runs a bash script that invokes YUM to update security packages.
  3. Loop: After completing the update, the script sleeps for one day before checking for updates again.

Usage Scenario

This DaemonSet is particularly beneficial for environments where maintaining security is crucial, and manual updates are impractical or risky due to the scale of the infrastructure.

Deployment

To deploy this DaemonSet, apply the provided YAML configuration using kubectl apply -f <filename.yaml>. Ensure that you have the necessary permissions to deploy DaemonSets and operate in privileged mode within your Kubernetes cluster.

Important Notes

  • Security Implications: Given that this DaemonSet operates in privileged mode, it's vital to understand the security implications and ensure it aligns with your cluster's security policies.
  • Customization: You may customize the update interval or modify the update commands based on your specific requirements or YUM configurations.

By deploying this DaemonSet, you can ensure that your Kubernetes nodes are consistently secured with the latest patches, minimizing the risk of security vulnerabilities.

Raw
yum-update-ds.yml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: yum-update
spec:
selector:
matchLabels:
app: yum-update
template:
metadata:
labels:
app: yum-update
spec:
containers:
- command:
- /nsenter
- --all
- --target=1
- --
- /bin/bash
- -c
- |
#!/bin/bash
while true; do
yum -y update --security
sleep 1d
done
image: alexeiled/nsenter:2.38.1
imagePullPolicy: IfNotPresent
name: yum-update
securityContext:
privileged: true
hostNetwork: true
hostPID: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment