195 lines
5.4 KiB
YAML
195 lines
5.4 KiB
YAML
# Version Checker - Container Image Version Monitoring for Kubernetes
|
|
# Namespace: version-checker-system
|
|
#
|
|
# This deploys jetstack/version-checker which monitors all container images
|
|
# running in the cluster and compares them to latest available upstream versions.
|
|
# Metrics are exposed for Prometheus scraping.
|
|
#
|
|
# Documentation: https://github.com/jetstack/version-checker
|
|
#
|
|
# Metrics exposed:
|
|
# - version_checker_is_latest_version{...} = 1 (up to date) or 0 (outdated)
|
|
# - version_checker_image_info{image, current_version, latest_version, ...}
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: version-checker-system
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: version-checker
|
|
namespace: version-checker-system
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: version-checker
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
rules:
|
|
# Required to read pod specs to get container images
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "watch", "list"]
|
|
# Required to check Kubernetes version (optional feature)
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get", "list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: version-checker
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: version-checker
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: version-checker
|
|
namespace: version-checker-system
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: version-checker
|
|
namespace: version-checker-system
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
app.kubernetes.io/instance: version-checker
|
|
app.kubernetes.io/version: "v0.10.0"
|
|
annotations:
|
|
reloader.stakater.com/auto: "true"
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: version-checker
|
|
app.kubernetes.io/instance: version-checker
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
app.kubernetes.io/instance: version-checker
|
|
app.kubernetes.io/version: "v0.10.0"
|
|
annotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/port: "8080"
|
|
prometheus.io/path: "/metrics"
|
|
spec:
|
|
serviceAccountName: version-checker
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: version-checker
|
|
image: quay.io/jetstack/version-checker:v0.10.0
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
# Test ALL containers in the cluster (not just annotated ones)
|
|
- --test-all-containers
|
|
# How often to re-check versions (default: 1h)
|
|
- --image-cache-timeout=1h
|
|
# Log level
|
|
- --log-level=info
|
|
env:
|
|
- name: DOCKER_CONFIG
|
|
value: /home/nonroot/.docker
|
|
- name: VERSION_CHECKER_GHCR_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: version-checker-ghcr
|
|
key: ghcr.token
|
|
ports:
|
|
- name: metrics
|
|
containerPort: 8080
|
|
protocol: TCP
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 32Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 512Mi
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: metrics
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 30
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: metrics
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
volumeMounts:
|
|
- name: ghcr-docker-config
|
|
mountPath: /home/nonroot/.docker
|
|
readOnly: true
|
|
volumes:
|
|
- name: ghcr-docker-config
|
|
secret:
|
|
secretName: ghcr-creds
|
|
items:
|
|
- key: .dockerconfigjson
|
|
path: config.json
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: version-checker
|
|
namespace: version-checker-system
|
|
labels:
|
|
app.kubernetes.io/name: version-checker
|
|
app.kubernetes.io/instance: version-checker
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- name: metrics
|
|
port: 8080
|
|
targetPort: metrics
|
|
protocol: TCP
|
|
selector:
|
|
app.kubernetes.io/name: version-checker
|
|
app.kubernetes.io/instance: version-checker
|
|
---
|
|
# ServiceMonitor for Prometheus Operator (if using kube-prometheus-stack)
|
|
# If you're using plain Prometheus with pod annotations, this can be removed
|
|
# apiVersion: monitoring.coreos.com/v1
|
|
# kind: ServiceMonitor
|
|
# metadata:
|
|
# name: version-checker
|
|
# namespace: version-checker-system
|
|
# labels:
|
|
# app.kubernetes.io/name: version-checker
|
|
# app.kubernetes.io/instance: version-checker
|
|
# # Add your Prometheus selector label if needed
|
|
# # release: prometheus
|
|
# spec:
|
|
# selector:
|
|
# matchLabels:
|
|
# app.kubernetes.io/name: version-checker
|
|
# namespaceSelector:
|
|
# matchNames:
|
|
# - version-checker-system
|
|
# endpoints:
|
|
# - port: metrics
|
|
# interval: 5m
|
|
# scrapeTimeout: 30s
|
|
# path: /metrics |