init container "sysctl: error setting key 'net.ipv4.ip_local_port_range': Read-only file system"
The problem is that you cannot run sysctl
without the privileged mode due to security reasons. This is expected since docker restricts access to /proc
and /sys
.
In order for this to work you need to use the privileged mode for the init container and than either:
- Use sysctls in a Kubernetes Cluster by specifing a proper
securityContext
for a Pod. For example:
securityContext: sysctls: - name: kernel.shm_rmid_forced value: "0" - name: net.core.somaxconn value: "1024" - name: kernel.msgmax value: "65536"
- Use PodSecurityPolicy to control which
sysctls
can be set in pods by specifying lists ofsysctls
orsysctl
patterns in theforbiddenSysctls
and/orallowedUnsafeSysctls
fields of thePodSecurityPolicy
. For example:
apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: sysctl-pspspec: allowedUnsafeSysctls: - kernel.msg* forbiddenSysctls: - kernel.shm_rmid_forced
Notice that:
If you allow unsafe
sysctls
via theallowedUnsafeSysctls
field in aPodSecurityPolicy
, any pod using such asysctl
will fail to start ifthesysctl
is not allowed via the--allowed-unsafe-sysctls
kubeletflag as well on that node.
- You can also set a limited number of
sysctls
on a container-local basis withdocker run --sysctl
.
I also recommend going through the whole linked documentation as caution is advised because use of unsafe sysctls
is at-your-own-risk and can lead to severe problems like wrong behavior of containers, resource shortage or complete breakage of a node.