Whitelisting sysctl parameters for helm chart
The kernel.sem sysctl is considered as unsafe sysctl, therefore is disabled by default (only safe sysctls are enabled by default). You can allow one or more unsafe sysctls on a node-by-node basics, to do so you need to add --allowed-unsafe-sysctls flag to the kubelet.
Look at "Enabling Unsafe Sysctls"
I've created simple example to illustrate you how it works.
First I added --allowed-unsafe-sysctls flag to the kubelet.
In my case I use kubeadm, so I need to add this flag to/etc/systemd/system/kubelet.service.d/10-kubeadm.conf file:
[Service]Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --allowed-unsafe-sysctls=kernel.sem"...NOTE: You have to add this flag on every node you want to run Pod with kernel.sem enabled.
Then I reloaded systemd manager configuration and restarted kubelet using below command:
# systemctl daemon-reload && systemctl restart kubeletNext I created a simple Pod using this manifest file:
apiVersion: v1kind: Podmetadata: labels: run: web name: webspec: securityContext: sysctls: - name: kernel.sem value: "250 32000 100 128" containers: - image: nginx name: webFinally we can check if it works correctly:
# sysctl -a | grep "kernel.sem"kernel.sem = 32000 1024000000 500 32000 // on the worker node# kubectl get podNAME READY STATUS RESTARTS AGEweb 1/1 Running 0 110s# kubectl exec -it web -- bashroot@web:/# cat /proc/sys/kernel/sem250 32000 100 128 // inside the PodYour PodSecurityPolicy doesn't work as expected, because of as you can see in the documentation:
Warning: If you allow unsafe sysctls via the allowedUnsafeSysctls field in a PodSecurityPolicy, any pod using such a sysctl will fail to start if the sysctl is not allowed via the --allowed-unsafe-sysctls kubelet flag as well on that node.