Closed mrocheleau closed 8 months ago
It works fine if I switch the non-signal manifest with the rest of our custom command switches the same outside of the reboot-method=command in the non-signal one.
`time="2024-02-02T18:37:27Z" level=info msg="Reboot is probably not necessary." cmd=/usr/bin/nsenter std=out`
`time="2024-02-02T18:38:00Z" level=info msg="No core libraries or services have been updated." cmd=/usr/bin/nsenter std=out`
Hi @mrocheleau,
you only can set privileged: false
when you are using the signal-mode AND no custom reboot- or sentinel-command. Any command which should be executed, needs the nsenter
command and privileged permissions. With privileged permissions you can of course use the new signal-mode, but it does not improve the security-configuration.
We should print a warning, when the pod is not privileged and a custom-command is configured.
Hi @mrocheleau, you only can set
privileged: false
when you are using the signal-mode AND no custom reboot- or sentinel-command. Any command which should be executed, needs thensenter
command and privileged permissions. With privileged permissions you can of course use the new signal-mode, but it does not improve the security-configuration.We should print a warning, when the pod is not privileged and a custom-command is configured.
Gotcha, ok this works then and if we ever switch distributions and no longer require a custom command we'll use the signal mode - thanks for the response!
After updating from 1.10.x to 1.15.0 and switching the manifest over to the kured-ds-signal.yaml one, using the signal reboot method and with
privileged
set tofalse
on the container, kured comes up fine however is throwing persistent warnings of:These just keep repeating, one per pod/node.
My relevant portion of the daemonset manifest is:
Are these ignorable errors?