Is my understanding correct, that the init container applies the change to the host and that it is immediately valid for all pods running on that given host?
If so I should remember to use this with care because different init containers could set different values for same parameter.
That is correct. I would personally avoid using that example as it requires a privileged securityContext. If you want to set the settings for the host, you could do it as a one off job, daemonset, or manage it at the host directly.
A question about the daemonset:
With the daemonsets I got in touch with yet, they are checking if a pod is running on the nodes which are matching the selector. If I delete such a pod it gets restarted immediately.
Setting up these settings needs to be done once after starting the kubernetes node if my assumption is correct.
How can I configure a daemonset to run only once after boot / really seldom?
Is a daemonset always running in privilleged security context or is this optional as in “normal” pods?
It’d still run, but could just sleep and check to ensure the settings are set on an interval.
Its optional for all pods, but is HIGHLY discouraged unless you absolutely need to. For example in our clusters, we have a pod security policy in place that prevents the running of any privileged pod unless its managed by us as admins and is in a few specific namespaces (e.g. kube-system).
As a side note, this Bob is saying might not be so clear how nice it is. You know the reconciliation loop idea of kubernetes? That basically you observe the world, the desired state and then do what is needed (create a pod, delete, etc.) to make both match?
This is basically the same, for your setting. If someone changes it, if it interfieres with another setting from another workload or something, this will be automatically fixed for you.
This has the advantage of “fixing” it without human intervention while you can still log/mail/what is best for you to investigate why this happened when is best for you
