[Question] What are the rights that are necessary and how does it work behind the scenes?

[paillave]

I am wondering what is takes to use the reloader. The client we are serving wants to know in details how it works to ensure their k8s infrastructure is not at risk in any case. Can you tell what is technically speaking the principle of the reloader installed the following way?

 kubectl apply -k https://github.com/stakater/Reloader/deployments/kubernetes

and used the following way:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
  annotations:
    reloader.stakater.com/auto: "true"
[...]

[faizanahmad055]

In simple terms, Reloader needs:

• Role/ClusterRole
• RoleBinding/ClusterRoleBinding
• ServiceAccount
• Deployment

looks for change events in:

• secrets

• configmaps

  updates (based on the permission and reloader annotation):

• deployment
• statefulset
• daemonset
• deploymentConfig

So, it just looks for change events and if a resource has a reloader annotation and corresponds to the change, it will create/update an environment variable in that resource (i.e. deployment) to trigger a rolling update.

[Ghilteras]

@faizanahmad055 how do we exclude ClusterRole and ClusterRoleBinding from the templates? If I just link the repo as a dependency on my chart it will try to deploy these cluster wide role/bindings for which I have no permissions. How do I override this in the values file so that it deploys Role and RoleBinding instead of ClusterRole and ClusterRoleBinding ?

[faizanahmad055]

You need to set the watchGlobally flag to false. Please check the readme.

helm install stakater/reloader --set reloader.watchGlobally=false --namespace test # For helm3 add --generate-name flag or set the release name