Disable coreOS auto-updates

core/controlplane/config/config.go

@@ -454,18 +454,19 @@ type ComputedDeploymentSettings struct {
 // Though it is highly configurable, it's basically users' responsibility to provide `correct` values if they're going beyond the defaults.
 type DeploymentSettings struct {
 	ComputedDeploymentSettings
-	CloudFormation              model.CloudFormation  `yaml:"cloudformation,omitempty"`
-	ClusterName                 string                `yaml:"clusterName,omitempty"`
-	S3URI                       string                `yaml:"s3URI,omitempty"`
-	KeyName                     string                `yaml:"keyName,omitempty"`
-	Region                      model.Region          `yaml:",inline"`
-	AvailabilityZone            string                `yaml:"availabilityZone,omitempty"`
-	ReleaseChannel              string                `yaml:"releaseChannel,omitempty"`
-	AmiId                       string                `yaml:"amiId,omitempty"`
-	DeprecatedVPCID             string                `yaml:"vpcId,omitempty"`
-	VPC                         model.VPC             `yaml:"vpc,omitempty"`
-	DeprecatedInternetGatewayID string                `yaml:"internetGatewayId,omitempty"`
-	InternetGateway             model.InternetGateway `yaml:"internetGateway,omitempty"`
+	CloudFormation                        model.CloudFormation  `yaml:"cloudformation,omitempty"`
+	ClusterName                           string                `yaml:"clusterName,omitempty"`
+	S3URI                                 string                `yaml:"s3URI,omitempty"`
+	DisableContainerLinuxAutomaticUpdates string                `yaml:"disableContainerLinuxAutomaticUpdates,omitempty"`
+	KeyName                               string                `yaml:"keyName,omitempty"`
+	Region                                model.Region          `yaml:",inline"`
+	AvailabilityZone                      string                `yaml:"availabilityZone,omitempty"`
+	ReleaseChannel                        string                `yaml:"releaseChannel,omitempty"`
+	AmiId                                 string                `yaml:"amiId,omitempty"`
+	DeprecatedVPCID                       string                `yaml:"vpcId,omitempty"`
+	VPC                                   model.VPC             `yaml:"vpc,omitempty"`
+	DeprecatedInternetGatewayID           string                `yaml:"internetGatewayId,omitempty"`
+	InternetGateway                       model.InternetGateway `yaml:"internetGateway,omitempty"`
 	// Required for validations like e.g. if instance cidr is contained in vpc cidr
 	VPCCIDR                 string            `yaml:"vpcCIDR,omitempty"`
 	InstanceCIDR            string            `yaml:"instanceCIDR,omitempty"`
@@ -493,8 +494,7 @@ type DeploymentSettings struct {
 	HyperkubeImage model.Image `yaml:"hyperkubeImage,omitempty"`
 	AWSCliImage    model.Image `yaml:"awsCliImage,omitempty"`
 
-	CalicoNodeImage model.Image `yaml:"calicoNodeImage,omitempty"`
-
+	CalicoNodeImage                    model.Image `yaml:"calicoNodeImage,omitempty"`
 	CalicoCniImage                     model.Image `yaml:"calicoCniImage,omitempty"`
 	CalicoCtlImage                     model.Image `yaml:"calicoCtlImage,omitempty"`
 	CalicoKubeControllersImage         model.Image `yaml:"calicoKubeControllersImage,omitempty"`

core/controlplane/config/templates/cloud-config-controller

@@ -44,6 +44,15 @@ coreos:
     etcd_keyfile: /etc/kubernetes/ssl/etcd-client-key.pem
   {{- end }}
   units:
+{{if .DisableContainerLinuxAutomaticUpdates}}
+    - name: disable-automatic-update.service
+      command: start
+      content: |
+        [Unit]
+        Description=Disable Container Linux automatic update. Work around to be removed on Ignition migration.
+        [Service]
+        ExecStart=/usr/bin/sh -c 'for u in update-engine locksmithd; do systemctl stop $${u}.service; systemctl mask $${u}.service; systemctl disable $${u}.service; done; systemctl reset-failed'
+{{end}}
 {{- range $u := .Controller.CustomSystemdUnits}}
     - name: {{$u.Name}}
       {{- if $u.Command }}

core/controlplane/config/templates/cloud-config-etcd

@@ -40,6 +40,15 @@ coreos:
   update:
     reboot-strategy: "off"
   units:
+{{if .DisableContainerLinuxAutomaticUpdates}}
+    - name: disable-automatic-update.service
+      command: start
+      content: |
+        [Unit]
+        Description=Disable Container Linux automatic update. Work around to be removed on Ignition migration.
+        [Service]
+        ExecStart=/usr/bin/sh -c 'for u in update-engine locksmithd; do systemctl stop $${u}.service; systemctl mask $${u}.service; systemctl disable $${u}.service; done; systemctl reset-failed'
+{{end}}
 {{- range $u := .Etcd.CustomSystemdUnits}}
     - name: {{$u.Name}}
       {{- if $u.Command }}

core/controlplane/config/templates/cloud-config-worker

@@ -46,6 +46,15 @@ coreos:
     etcd_keyfile: /etc/kubernetes/ssl/etcd-client-key.pem
   {{- end }}
   units:
+{{if .DisableContainerLinuxAutomaticUpdates}}
+    - name: disable-automatic-update.service
+      command: start
+      content: |
+        [Unit]
+        Description=Disable Container Linux automatic update. Work around to be removed on Ignition migration.
+        [Service]
+        ExecStart=/usr/bin/sh -c 'for u in update-engine locksmithd; do systemctl stop $${u}.service; systemctl mask $${u}.service; systemctl disable $${u}.service; done; systemctl reset-failed'
+{{end}}
 {{- range $u := .CustomSystemdUnits}}
     - name: {{$u.Name}}
       {{- if $u.Command }}

core/controlplane/config/templates/cluster.yaml

@@ -13,6 +13,9 @@ s3URI: {{.S3URI}}
 # The AMI ID of CoreOS.
 amiId: "{{.AmiId}}"
 
+# Container Linux has automatic updates https://coreos.com/os/docs/latest/update-strategies.html. This can be a risk in certain situations and this is why is disabled by default and you can enable it by setting this param to false.
+disableContainerLinuxAutomaticUpdates: true
+
 # The ID of hosted zone to add the externalDNSName to.
 # Either specify hostedZoneId or hostedZone, but not both
 #hostedZoneId: ""