A verified tool should have minimal privileges. Review what access Reloader requests:
kubectl describe clusterrole reloader-controller-role
Expected permissions: get, watch, list, update on Deployments, DaemonSets, StatefulSets, ConfigMaps, and Secrets. It should not have delete or create on arbitrary resources.
For security and performance, Reloader can be configured to operate within specific namespaces rather than cluster-wide. reloader by r1n github verified
Reloader does not indiscriminately restart every workload in the cluster. It uses a sophisticated annotation system to determine scope:
Reloader is a Kubernetes controller designed to watch changes in ConfigMaps and Secrets. When these resources are updated, Reloader automatically performs a rolling upgrade on the pods that depend on them. A verified tool should have minimal privileges
Annotate your deployment to watch all ConfigMaps and Secrets.
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
annotations:
reloader.stakater.com/auto: "true"
spec:
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: app
image: nginx
envFrom:
- configMapRef:
name: app-config
When app-config changes, Reloader will restart my-app. Expected permissions: get , watch , list ,
The official Helm chart is maintained in sync with the GitHub verified repository.
# Add the Reloader Helm repository (provided by R1N)
helm repo add reloader https://r1n.github.io/reloader
Reloader updates the workload specification by injecting a hash of the ConfigMap/Secret into the Pod template annotations.