From 025c86bf665b5093d48b3f977c51fdbd4df23401 Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Tue, 29 May 2018 19:36:02 +0200 Subject: [PATCH] Promote sysctls to Beta --- .../feature-gates.md | 2 + .../administer-cluster/sysctl-cluster.md | 44 ++++++++++++------- 2 files changed, 31 insertions(+), 15 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 95a4b15724a37..46166a2182d67 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -86,6 +86,7 @@ different Kubernetes components. | `SupportIPVSProxyMode` | `false` | Beta | 1.9 | 1.9 | | `SupportIPVSProxyMode` | `true` | Beta | 1.10 | | | `SupportPodPidsLimit` | `false` | Alpha | 1.10 | | +| `Sysctls` | `true` | `Beta` | 1.11 | | | `TaintBasedEvictions` | `false` | Alpha | 1.6 | | | `TaintNodesByCondition` | `false` | Alpha | 1.8 | | | `TokenRequest` | `false` | Alpha | 1.10 | | @@ -211,6 +212,7 @@ Each feature gate is designed for enabling/disabling a specific feature: - `SupportIPVSProxyMode`: Enable providing in-cluster service load balancing using IPVS. See [service proxies](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies) for more details. - `SupportPodPidsLimit`: Enable the support to limiting PIDs in Pods. +- `Sysctls`: Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in `*`) - `TaintBasedEvictions`: Enable evicting pods from nodes based on taints on nodes and tolerations on Pods. See [taints and tolerations](/docs/concepts/configuration/taint-and-toleration/) for more details. - `TaintNodesByCondition`: Enable automatic tainting nodes based on [node conditions](/docs/concepts/architecture/nodes/#condition). diff --git a/content/en/docs/tasks/administer-cluster/sysctl-cluster.md b/content/en/docs/tasks/administer-cluster/sysctl-cluster.md index 8ea3e4a30e3f0..cfefe37a3a798 100644 --- a/content/en/docs/tasks/administer-cluster/sysctl-cluster.md +++ b/content/en/docs/tasks/administer-cluster/sysctl-cluster.md @@ -74,7 +74,7 @@ application tuning. _Unsafe_ sysctls are enabled on a node-by-node basis with a flag of the kubelet, e.g.: ```shell -$ kubelet --experimental-allowed-unsafe-sysctls \ +$ kubelet --allowed-unsafe-sysctls \ 'kernel.msg*,net.ipv4.route.min_pmtu' ... ``` @@ -105,20 +105,25 @@ manually by the cluster admin, either by means of the underlying Linux distribution of the nodes (e.g. via `/etc/sysctls.conf`) or using a DaemonSet with privileged containers. -The sysctl feature is an alpha API. Therefore, sysctls are set using annotations +The sysctl feature is a beta API. The sysctls are set through pod security context on pods. They apply to all containers in the same pod. -Here is an example, with different annotations for _safe_ and _unsafe_ sysctls: +Here is an example, (notice there is no distinction between _safe_ and _unsafe_ sysctls in the spec): ```yaml apiVersion: v1 kind: Pod metadata: name: sysctl-example - annotations: - security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1 - security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.route.min_pmtu=1000,kernel.msgmax=1 2 3 spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: 1 + - name: net.ipv4.route.min_pmtu + value: 1000, + - name: kernel.msgmax + value: 1 2 3 ... ``` {{% /capture %}} @@ -143,13 +148,22 @@ is recommended to use [taints on nodes](/docs/concepts/configuration/taint-and-toleration/) to schedule those pods onto the right nodes. -## PodSecurityPolicy Annotations +## PodSecurityPolicy -The use of sysctl in pods can be controlled via annotation on the PodSecurityPolicy. +The use of sysctl in pods can be controlled through `allowedUnsafeSysctls` and +`forbiddenSysctls` fields on the PodSecurityPolicy. -Sysctl annotation represents a whitelist of allowed safe and unsafe sysctls -in a pod spec. It's a comma-separated list of plain sysctl names or sysctl patterns -(which end in `*`). The string `*` matches all sysctls. +By default, all safe sysctls are allowed. Currently, the whitelist of safe sysctls corresponds to: + +* `kernel.shm_rmid_forced` +* `net.ipv4.ip_local_port_range` +* `net.ipv4.tcp_syncookies` + +Both `allowedUnsafeSysctls` and `forbiddenSysctls` are lists of plain sysctl names +or sysctl patterns (which end in `*`). The string `*` matches all sysctls. + +The `allowedUnsafeSysctls` field excludes sysctls from the whitelist (`*` means no safe sysctls allowed). +Any sysctl specified by the `forbiddenSysctls` is on the other hand allowed (`*` means all unsafe sysctls allowed). Here is an example, it authorizes binding user creating pod with corresponding sysctls. @@ -158,12 +172,12 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: sysctl-psp - annotations: - security.alpha.kubernetes.io/sysctls: 'net.ipv4.route.*,kernel.msg*' spec: + allowedUnsafeSysctls: + - kernel.msg* + forbiddenSysctls: + - kernel.shm_rmid_forced ... ``` {{% /capture %}} - -