infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

Compare commits

base: infra:e3cb7212bb4b3bd56a9310d937d060348a43515d
Branches Tags
infra:master infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets
..
compare: infra:155836889760f1b56a0fa07e6965c34956ed3feb
Branches Tags
infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:master infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets

11 Commits
e3cb7212bb ... 1558368897

Author SHA1 Message Date
bot
1558368897 zwavejs2mqtt: Update to 11.5.2 2025-10-18 11:32:11 +00:00
bot
79ab42b673 zigbee2mqtt: Update to 2.6.2 2025-10-18 11:32:11 +00:00
bot
e36d3270fd home-assistant: Update to 2025.10.3 2025-10-18 11:32:10 +00:00
Dustin C. Hatch
bbcf2d7599 grafana: Increase readiness probe timeout 
Sometimes, Grafana gets pretty slow, especially when it's running on one
of the Raspberry Pi nodes.  When this happens, the health check may take
longer than the default timeout of 1 second to respond.  This then marks
the pod as unhealthy, even though it's still working.
 2025-10-13 13:36:38 -05:00
Dustin C. Hatch
d5a7b5bc2d k8s-reboot-coordinator: Initial deploy 
The `k8s-reboot-coordinator` coordinates node reboots throughout the
cluster.  It runs as a DaemonSet, watching for the presence of a
sentinel file, `/run/reboot-needed` on the node.  When the file appears,
it acquires a lease, to ensure that only one node reboots at a time,
cordons and drains the node, and then triggers the reboot by running
a command on the host.  After the node has rebooted, the daemon will
release the lock and uncordon the node.
 2025-10-13 13:36:38 -05:00
Dustin C. Hatch
5c6a77c47c policy: Add policy to prevent host network usage 
The `policy` Kustomize project defines various cluster-wide security
policies.  Initially, this includes a Validating Admission Policy that
prevents pods from using the host's network namespace.
 2025-10-13 13:36:38 -05:00
Dustin
e1874565b8 Merge pull request 'gotenberg: Update to 8.23.1' (#85) from updatebot/paperless-ngx into master 
Reviewed-on: #85
 2025-10-12 23:55:49 +00:00
Dustin
2e4d356fb7 Merge pull request 'authelia: Update to 4.39.10' (#86) from updatebot/authelia into master 
Reviewed-on: #86
 2025-10-12 23:40:26 +00:00
bot
76566cb027 authelia: Update to 4.39.12 2025-10-11 11:32:16 +00:00
bot
83d85d0b58 tika: Update to 3.2.3.0 2025-10-11 11:32:14 +00:00
bot
d944ae5d3a gotenberg: Update to 8.24.0 2025-10-11 11:32:14 +00:00
10 changed files with 171 additions and 5 deletions
Expand all files Collapse all files

2
authelia/kustomization.yaml
View File

@@ -58,4 +58,4 @@ patches:
name: dch-root-ca
images:
- name: ghcr.io/authelia/authelia
newTag: 4.39.9
newTag: 4.39.12

1
grafana/grafana.yaml
View File

@@ -60,6 +60,7 @@ spec:
port: http
path: /api/health
periodSeconds: 60
timeoutSeconds: 5
startupProbe:
<<: *probe
periodSeconds: 1

4
home-assistant/kustomization.yaml
View File

@@ -152,7 +152,7 @@ patches:
images:
- name: ghcr.io/home-assistant/home-assistant
newTag: 2025.10.2
newTag: 2025.10.3
- name: docker.io/rhasspy/wyoming-whisper
newTag: 2.5.0
- name: docker.io/rhasspy/wyoming-piper
@@ -160,6 +160,6 @@ images:
- name: ghcr.io/koenkk/zigbee2mqtt
newTag: 2.6.2
- name: ghcr.io/zwave-js/zwave-js-ui
newTag: 11.4.1
newTag: 11.5.2
- name: docker.io/library/eclipse-mosquitto
newTag: 2.0.22

36
k8s-reboot-coordinator/jenkins.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jenkins.k8s-reboot-coordinator
labels:
app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
app.kubernetes.io/component: k8s-reboot-coordinator
app.kubernetes.io/part-of: k8s-reboot-coordinator
rules:
- apiGroups:
- apps
resources:
- daemonsets
resourceNames:
- k8s-reboot-coordinator
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins.k8s-reboot-coordinator
labels:
app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
app.kubernetes.io/component: k8s-reboot-coordinator
app.kubernetes.io/part-of: k8s-reboot-coordinator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins.k8s-reboot-coordinator
subjects:
- kind: ServiceAccount
name: default
namespace: jenkins-jobs

37
k8s-reboot-coordinator/kustomization.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
labels:
- pairs:
app.kubernetes.io/instance: k8s-reboot-coordinator
includeSelectors: true
resources:
- https://git.pyrocufflink.net/dustin/k8s-reboot-coordinator//kubernetes?ref=master
- service.yaml
- jenkins.yaml
images:
- name: k8s-reboot-coordinator
newName: git.pyrocufflink.net/packages/k8s-reboot-coordinator
newTag: latest
patches:
- patch: |-
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: k8s-reboot-coordinator
spec:
template:
spec:
containers:
- name: k8s-reboot-coordinator
imagePullPolicy: Always
env:
- name: RUST_LOG
value: k8s_reboot_coordinator=debug,info
imagePullSecrets:
- name: imagepull-gitea

14
k8s-reboot-coordinator/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: &name k8s-reboot-coordinator
labels: &labels
app.kubernetes.io/name: *name
app.kubernetes.io/component: *name
app.kubernetes.io/part-of: *name
spec:
selector: *labels
ports:
- port: 8000
targetPort: http
name: http

4
paperless-ngx/kustomization.yaml
View File

@@ -47,6 +47,6 @@ images:
- name: ghcr.io/paperless-ngx/paperless-ngx
newTag: 2.18.4
- name: docker.io/gotenberg/gotenberg
newTag: 8.23.0
newTag: 8.24.0
- name: docker.io/apache/tika
newTag: 3.2.2.0
newTag: 3.2.3.0

30
policy/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Cluster Policies
## Validating Admission Policy
To enable (prior to Kubernetes v1.30):
1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
of the `kubeadm-config` ConfigMap:
```yaml
feature-gates: ValidatingAdmissionPolicy=true
runtime-config: admissionregistration.k8s.io/v1beta1=true
```
2. Redeploy the API servers using `kubeadm`:
```sh
doas kubeadm upgrade apply v1.29.15 --yes
```
### disallow-hostnetwork
This policy prevents pods from running in the host's network namespace. This is
especially important because most nodes are connected to the storage network
VLAN, so allowing pods to use the host network namespace would give them access
to the iSCSI LUNs and NFS shares on the NAS.
If a trusted pod needs to run in the host's network namespace, its Kubernetes
namespace can be listed in the exclusion list of the
`disallow-hostnetwork-binding` policy binding resource.

43
policy/disallow-hostnetwork.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: disallow-hostnetwork
spec:
matchConstraints:
resourceRules:
- apiGroups:
- ''
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
validations:
- expression: >-
!has(object.spec.hostNetwork) || !object.spec.hostNetwork
message: >-
Pods must not use hostNetwork: true
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: disallow-hostnetwork-binding
spec:
policyName: disallow-hostnetwork
validationActions:
- Deny
matchResources:
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- calico-system
- democratic-csi
- keepalived
- kube-system
- music-assistant
- tigera-operator

5
policy/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- disallow-hostnetwork.yaml