This is an automated email from the ASF dual-hosted git repository.
pjfanning pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko-management.git
The following commit(s) were added to refs/heads/main by this push:
new 931786cc docs: add Alternative with Custom Resource Definition section
to rolling-updates.md (#810)
931786cc is described below
commit 931786cc71a9f02974b14eb99127a1ae1cca8c63
Author: PJ Fanning <[email protected]>
AuthorDate: Sun May 31 19:44:04 2026 +0100
docs: add Alternative with Custom Resource Definition section to
rolling-updates.md (#810)
Co-authored-by: copilot-swe-agent[bot]
<[email protected]>
---
docs/src/main/paradox/rolling-updates.md | 52 +++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)
diff --git a/docs/src/main/paradox/rolling-updates.md
b/docs/src/main/paradox/rolling-updates.md
index 33cce271..800f6cf6 100644
--- a/docs/src/main/paradox/rolling-updates.md
+++ b/docs/src/main/paradox/rolling-updates.md
@@ -109,7 +109,7 @@ setting `pekko.rollingupdate.kubernetes.namespace` or by
providing `KUBERNETES_N
@@@ warning
-This extension uses the Kubernetes API to set the `pod-deletion-cost`
annotation on its own pod. To be able to do that, it requires special
permission to be able to `patch` the pod configuration. Each pod only needs
access to the namespace they are in.
+This extension uses the Kubernetes API to set the `pod-deletion-cost`
annotation on its own pod. To be able to do that, it requires special
permission to be able to `patch` the pod configuration. Each pod only needs
access to the namespace they are in. If this is a security concern in your
environment you may instead use @ref:[Alternative with Custom Resource
Definition](#alternative-with-custom-resource-definition).
@@@
@@ -146,6 +146,56 @@ This RBAC example covers only the permissions needed for
this `PodDeletionCost`
@@@
+#### Alternative with Custom Resource Definition
+
+If it's a security concern in your environment to allow "patch" in RBAC as
described above, you can instead use an
+intermediate Custom Resource Definition (CRD). Instead of updating the
`controller.kubernetes.io/pod-deletion-cost`
+annotation directly it will update a `PodCost` custom resource and then you
would have an operator that reconciles
+that and updates the pod-deletion-cost annotation of the pod resource.
+
+@@@ note
+
+You would have to write the Kubernetes operator that watches the `PodCost`
resource and updates the
+`controller.kubernetes.io/pod-deletion-cost` annotation of the corresponding
pod resource. This operator
+is not provided by Pekko.
+
+@@@
+
+Enable updates of custom resource with configuration:
+
+```
+pekko.rollingupdate.kubernetes.custom-resource.enabled = true
+```
+
+The `PodCost` CRD:
+
+@@snip [pod-cost.yml](/rolling-update-kubernetes/pod-cost.yml) {}
+
+The RBAC for the application to update the `PodCost` CR, instead of "patch" of
the "pods" resources:
+
+```
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: podcost-access
+rules:
+ - apiGroups: ["pekko.apache.org"]
+ resources: ["podcosts"]
+ verbs: ["get", "create", "update", "delete", "list"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: podcost-access
+subjects:
+ - kind: User
+ name: system:serviceaccount:<YOUR NAMESPACE>:default
+roleRef:
+ kind: Role
+ name: podcost-access
+ apiGroup: rbac.authorization.k8s.io
+```
+
## app-version from Deployment
When using Cluster Sharding, it is
[recommended](https://pekko.apache.org/docs/pekko/current/additional/rolling-updates.html#cluster-sharding)
to define an increasing `pekko.cluster.app-version` configuration property for
each roll out.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
