This is conceptually similar to what we did for Postgres extensions at the StackGres [1] project. I gave a talk at a Kubecon about it [2].
However, this scheme is not perfect. Some Kubernetes security solutions enforce immutable containers, and once the agent pulls any additional file into the container, it will be flagged. It's also harder to reason about the security of the image (think CVEs, etc), given that its true contents are not known ahead of time.
We have also worked on a solution for this, which is to create dynamic container images. It still requires (as of today, may change in the future) restarting the container, but it keeps container images immutable. Apologies for the self plug, but I believe it may be interesting that I'll speak about it in the Container Days conference in September [3].
This is conceptually similar to what we did for Postgres extensions at the StackGres [1] project. I gave a talk at a Kubecon about it [2].
However, this scheme is not perfect. Some Kubernetes security solutions enforce immutable containers, and once the agent pulls any additional file into the container, it will be flagged. It's also harder to reason about the security of the image (think CVEs, etc), given that its true contents are not known ahead of time.
We have also worked on a solution for this, which is to create dynamic container images. It still requires (as of today, may change in the future) restarting the container, but it keeps container images immutable. Apologies for the self plug, but I believe it may be interesting that I'll speak about it in the Container Days conference in September [3].
[1]: https://stackgres.io
[2]: https://aht.es/#talks-postgres_extensions_in_kubernetes
[3]: https://www.containerdays.io/containerdays-conference-2025/a...
(edit: formatting)
TL;DR - How to invert k8s deployments using application less containers design
Time for Hashicorp Nomad to make its comeback?