Kuberntes sysctls

PodSecurityPolicy

version at least v1.11

1
2
3
4
5
6
7
8
9
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: sysctl-psp
spec:
allowedUnsafeSysctls:
- kernel.msg*
forbiddenSysctls:
- kernel.shm_rmid_forced

Sysctls

Sysctls 允许容器设置内核参数,分为安全 Sysctls 和非安全 Sysctls

安全 Sysctls:即设置后不影响其他 Pod 的内核选项,只作用在容器 namespace 中,默认开启。包括以下几种

  • kernel.shm_rmid_forced
  • net.ipv4.ip_local_port_range
  • net.ipv4.tcp_syncookies

非安全 Sysctls:即设置好有可能影响其他 Pod 和 Node 上其他服务的内核选项,默认禁止。如果使用,需要管理员在配置 kubelet 时开启,如

  • kubelet –experimental-allowed-unsafe-sysctls ‘kernel.msg*,net.ipv4.route.min_pmtu’
1
2
3
4
5
6
7
8
9
10
11
12
spec:
securityContext:
privileged: true
sysctls:
- name: net.core.rmem_max
value: "4194304"
- name: net.core.rmem_default
value: "2097152"
- name: net.core.wmem_max
value: "4194304"
- name: net.core.wmem_default
value: "2097152"

SysctlForbidden

Enabling Unsafe Sysctls

如果要在 Kuberntes 上进行修改,那如何操作?

1
kubelet --experimental-allowed-unsafe-sysctls 'kernel.msg*,kernel.shmmax,kernel.sem,net.ipv4.route.min_pmtu'

Reference