# KubeSolo OS — Automatic Update CronJob # # This CronJob checks for OS updates every 6 hours, downloads them, # and writes them to the passive partition. It does NOT reboot — # the administrator must trigger a reboot to apply the update. # # The update agent runs as a privileged container with host access # because it needs to: # 1. Read/write GRUB environment (on boot partition) # 2. Mount and write to system partitions # 3. Access block devices via blkid # # Deploy: kubectl apply -f update-cronjob.yaml # Manual trigger: kubectl create job --from=cronjob/kubesolo-update kubesolo-update-manual # apiVersion: batch/v1 kind: CronJob metadata: name: kubesolo-update namespace: kube-system labels: app.kubernetes.io/name: kubesolo-update app.kubernetes.io/component: update-agent app.kubernetes.io/part-of: kubesolo-os spec: schedule: "0 */6 * * *" # Every 6 hours concurrencyPolicy: Forbid successfulJobsHistoryLimit: 3 failedJobsHistoryLimit: 5 jobTemplate: spec: backoffLimit: 1 activeDeadlineSeconds: 600 # 10 min max template: metadata: labels: app.kubernetes.io/name: kubesolo-update spec: restartPolicy: Never hostPID: false hostNetwork: false containers: - name: update image: busybox:latest # Only used for the shell; the binary is host-mounted command: - /host/usr/lib/kubesolo-os/kubesolo-update args: - apply - --server - "$(UPDATE_SERVER_URL)" env: - name: UPDATE_SERVER_URL valueFrom: configMapKeyRef: name: kubesolo-update-config key: server-url optional: true securityContext: privileged: true # Required for mount/blkid access volumeMounts: - name: host-root mountPath: /host readOnly: false - name: dev mountPath: /dev - name: boot mountPath: /boot volumes: - name: host-root hostPath: path: / type: Directory - name: dev hostPath: path: /dev type: Directory - name: boot hostPath: path: /boot type: Directory tolerations: - operator: Exists # Run on any node (there's only one) --- # ConfigMap for update server URL. # Create/update this to point to your update server: # kubectl -n kube-system create configmap kubesolo-update-config \ # --from-literal=server-url=https://updates.example.com apiVersion: v1 kind: ConfigMap metadata: name: kubesolo-update-config namespace: kube-system labels: app.kubernetes.io/name: kubesolo-update app.kubernetes.io/component: update-agent data: server-url: "" # Set to your update server URL --- # Post-boot health check — runs once at boot as a Job. # On KubeSolo OS, this is triggered by the init system (init stage or # systemd-equivalent), but it can also be deployed as a K8s Job for # environments where the init system doesn't run the health check. apiVersion: batch/v1 kind: Job metadata: name: kubesolo-healthcheck namespace: kube-system labels: app.kubernetes.io/name: kubesolo-healthcheck app.kubernetes.io/component: health-check app.kubernetes.io/part-of: kubesolo-os spec: backoffLimit: 3 activeDeadlineSeconds: 300 # 5 min max template: metadata: labels: app.kubernetes.io/name: kubesolo-healthcheck spec: restartPolicy: Never hostPID: false hostNetwork: true # Needed to reach API server at 127.0.0.1:6443 containers: - name: healthcheck image: busybox:latest command: - /host/usr/lib/kubesolo-os/kubesolo-update args: - healthcheck - --timeout - "120" securityContext: privileged: true # Required for grubenv write volumeMounts: - name: host-root mountPath: /host readOnly: false - name: boot mountPath: /boot volumes: - name: host-root hostPath: path: / type: Directory - name: boot hostPath: path: /boot type: Directory tolerations: - operator: Exists