Kuberntes sysctls

PodSecurityPolicy

version at least v1.11

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  allowedUnsafeSysctls:
  - kernel.msg*
  forbiddenSysctls:
  - kernel.shm_rmid_forced

Sysctls

Sysctls 允许容器设置内核参数，分为安全 Sysctls 和非安全 Sysctls

安全 Sysctls：即设置后不影响其他 Pod 的内核选项，只作用在容器 namespace 中，默认开启。包括以下几种

kernel.shm_rmid_forced
net.ipv4.ip_local_port_range
net.ipv4.tcp_syncookies

非安全 Sysctls：即设置好有可能影响其他 Pod 和 Node 上其他服务的内核选项，默认禁止。如果使用，需要管理员在配置 kubelet 时开启，如

kubelet –experimental-allowed-unsafe-sysctls ‘kernel.msg*,net.ipv4.route.min_pmtu’

spec:
    securityContext:
    privileged: true
    sysctls:
        - name: net.core.rmem_max
        value: "4194304"
        - name: net.core.rmem_default
        value: "2097152"
        - name: net.core.wmem_max
        value: "4194304"
        - name: net.core.wmem_default
        value: "2097152"

SysctlForbidden

Enabling Unsafe Sysctls

如果要在 Kuberntes 上进行修改，那如何操作？

1	kubelet --experimental-allowed-unsafe-sysctls 'kernel.msg*,kernel.shmmax,kernel.sem,net.ipv4.route.min_pmtu'

Python Java Android Django Web -> sulang357159@gmail.com

Kuberntes sysctls

PodSecurityPolicy

Sysctls

Enabling Unsafe Sysctls

Reference