flexible kured deployment with its helm chart
Kured (KUbernetes REboot Daemon) is the proper way to keep your Linux Nodes up-to-date automatically with Kubernetes: https://docs.microsoft.com/azure/aks/node-updates-kured. That’s one of your responsibility to setup this tool (or any other alternative you may have) for your own Security Posture.
I recently found out that the proper way to install kured is not by doing this like explained here:
kubectl apply \
-f https://github.com/weaveworks/kured/releases/download/1.2.0/kured-1.2.0-dockerhub.yaml
Yes it works like this for sure. But, how updating that file? how extending it? So I recently found out that instead of keeping my own version of this file and update it as I want, I could use the official Kured Helm chart instead:
helm repo update
helm install kured stable/kured
Really cool, isn’t it!?
FYI the source code of this Helm chart is here: https://github.com/helm/charts/tree/master/stable/kured
Maybe you don’t see yet the value of using this Helm chart? Here below are few scenarios and capabilities you are now easily able to do with this Helm chart installation.
Deploy kured in a specific namespace
It’s not a good practice to deploy kured in the kube-system
namespace, that’s what the original file does. Note: Azure Security Center integrated with AKS told me that.
kubectl create ns kured
helm install kured stable/kured \
-n kured
Deploy kured only on Linux nodes
Because it’s not working for Windows nodes: https://github.com/weaveworks/kured/issues/96.
helm install kured stable/kured \
--set nodeSelector."beta\.kubernetes\.io/os"=linux
Deploy kured with specific tolerations
Otherwise it will fail if you taint your nodes: https://github.com/weaveworks/kured/pull/88. That’s probably what you will find out as soon as you will leverage Multiple Node Pool for example.
helm install kured stable/kured \
--set tolerations[0].effect=NoSchedule \
--set tolerations[0].key=node-role.kubernetes.io/master \
--set tolerations[1].operator=Exists \
--set tolerations[1].key=CriticalAddonsOnly \
--set tolerations[2].operator=Exists \
--set tolerations[2].effect=NoExecute \
--set tolerations[3].operator=Exists \
--set tolerations[3].effect=NoSchedule
Deploy a specific version of the kured container
You may want to deploy a specific tag of the kured container, for example when it’s not yet officially released.
helm install kured stable/kured \
--set image.tag=master-f6e4062
Get notifications in Slack or Microsoft Teams
You may want to receive notifications when nodes are drained and rebooted. With Microsoft Teams you could get Incoming Webhook URL very easily to use it then with the following command:
helm install kured stable/kured \
--set extraArgs.slack-hook-url=<your-webhook-url>
Set a schedule when kured should reboot the nodes
You may want to set a specific schedule (days and times) when kured should reboot the nodes when needed. This feature is only available from a specific version of the kured container and further versions.
helm install kured stable/kured \
--set image.tag=master-f6e4062 \
--set extraArgs.start-time=9am \
--set extraArgs.end-time=5pm \
--set extraArgs.time-zone=America/Toronto \
--set extraArgs.reboot-days="mon\,tue\,wed\,thu\,fri"
That’s a wrap!
With all of this, here is my final command I use to deploy kured
with its Helm chart in my own Kubernetes cluster:
ns=kured
teamsWebHook=<teams-web-hook>
kubectl create ns $ns
helm repo update
helm install kured stable/kured \
-n $ns \
--set image.tag=master-f6e4062 \
--set nodeSelector."beta\.kubernetes\.io/os"=linux \
--set extraArgs.start-time=9am \
--set extraArgs.end-time=5pm \
--set extraArgs.time-zone=America/Toronto \
--set extraArgs.reboot-days="mon\,tue\,wed\,thu\,fri" \
--set tolerations[0].effect=NoSchedule \
--set tolerations[0].key=node-role.kubernetes.io/master \
--set tolerations[1].operator=Exists \
--set tolerations[1].key=CriticalAddonsOnly \
--set tolerations[2].operator=Exists \
--set tolerations[2].effect=NoExecute \
--set tolerations[3].operator=Exists \
--set tolerations[3].effect=NoSchedule \
--set extraArgs.slack-hook-url=$teamsWebHook
NB: I submitted a PR to improve the AKS docs with this.
Hope you enjoyed this blog article and you learned enough to adapt this for your own context and needs.
Cheers!