Closed Neumann-Nils closed 4 years ago
When new nodes are introduced, the daemonset will create pods accordingly (see https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/).
However, a daemonset currently does not support the "restartPolicy" never
, which would be needed to create a pod that runs only once and gets terminated afterwards. However, this feature seems to be in progress:
If it gets implemented, it would allow us to create a daemonset that spins up a pod only once, copy and paste the custom seccomp profiles and terminates afterwards.
One could also register on the event of node creation (using our webhook functionality) and spin up a pod on this node that copies the custom seccomp profiles manually.
A workaround would be, to keep the pod alive and do nothing (e.g. while sleep 3600). This would also result in the pod only be started once for each node (see: https://github.com/cloudfoundry-community/eirini-bosh-release/pull/37).
Description
To create and install a custom seccomp profile is quite time-consuming and complex (see #135). Thus, karydia should provide an easy and appealing solution to install and deploy your custom seccomp profile on each node.
User Story
As a user I want to use karydia to easily install and deploy my custom seccomp profiles in order to secure my clusters.
Implementation idea
For this feature, following parts should be done: