Open rptaylor opened 7 months ago
This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).
Still relevant.
This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).
Would still be interesting.
This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).
Following https://github.com/kubereboot/kured/pull/814 , a reboot method option is being added which can be 'command' or 'signal'. Following an idea by @sftim https://github.com/kubereboot/kured/issues/416#issuecomment-1825047502 it would be natural to consider adding a 3rd option for reboot method, "path", which relies on systemd units on the node to trigger a reboot by writing to a path on the node. Third party security-focused admission controllers could be used to ensure that kured only has write access to an approved location, like /var/run/kured.
Disadvantage: requires admins to set up systemd units on the node out of band - though they may wish to anyway as this would also be a convenient way to do automated OS updates with a systemd timer. Kured could document recommended systemd unit files to install for this.
Advantage: The kured pod would not even need to have CAP_KILL or hostPID, so it would be as minimally privileged as possible.