helm-krar is a lightweight Helm chart that installs krar (“Kubernetes Resources Auto Rollout”), a simple mechanism to trigger rollouts on selected Kubernetes workloads so that images referenced by floating tags (e.g., 1.25, 1, latest) are refreshed regularly.
It can be considered a lightweight alternative to tools like Keel for the specific “refresh floating tags” use case.
For full application behavior and configuration semantics, see the upstream project: slash-mnt/awesome-oci-images/tree/main/krar.
Kubernetes does not automatically restart workloads when a tag is re-published in a registry (for example, nginx:1.25 being updated).
krar periodically identifies marked resources and triggers a rollout so nodes re-pull images (when configured appropriately), keeping workloads aligned with the tag’s current digest.
Warning
Triggering a restart affects availability if:
- There is only one replica of the resource.
- The image tag is too permissive and may introduce breaking changes (e.g.,
latestor major version tags).
Important
Only workloads with imagePullPolicy: Always will behave as expected.
At the moment, krar:
- Does not log events clearly
- Does not annotate restarted resources
No dependencies required. The chart installs:
- Some ServiceAccounts
- Wether ClusterRole / ClusterRoleBinding or Role(s) / RoleBinding(s) with limited permissions on:
- core API group
"", including only Pods and Events appsAPI group, limited to at max Deployments, DaemonSets, StatefulSets and ReplicaSets
- core API group
- One or more CronJobs (as many as you define) used to trigger rollouts
- Kubernetes cluster with RBAC enabled
- Helm 3.x
git clone https://github.com/slash-mnt/helm-krar.git
cd helm-krar
helm upgrade --install krar ./ --namespace krar --create-namespacehelm upgrade --install krar ./ --namespace krar --create-namespace -f values.yamlWith default values, add the following label to your Deployment, DaemonSet, or StatefulSet:
krar.slash-mnt.com/rollout-policy: once-a-monthThis label associates the resource with the CronJob named once-a-month.
It's also possible to target resources directly instead of adding an annotation on resources.
Note: requires a ServiceAccount and its ClusterRole/Roles.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
krar.slash-mnt.com/rollout-policy: once-a-month
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.25
imagePullPolicy: Always
ports:
- containerPort: 80Configuration is managed through values.yaml.
The chart supports defining multiple rollout jobs, each with its own schedule and selection policy. This enables patterns such as:
- Monthly refresh for low-risk services
- Nightly refresh in non-production namespaces
- Different policies per team or workload class
Customization follows the krar application documentation (see upstream repository).
For more information, please see slash-mnt/awesome-oci-images/tree/main/krar.
helm upgrade krar ./ --namespace krar -f values.yamlhelm uninstall krar --namespace krarMIT. See LICENSE.
Maintained by SLASH MNT.