Whitelisting sysctl parameters for helm chart
The kernel.sem
sysctl is considered as unsafe sysctl, therefore is disabled by default (only safe sysctls are enabled by default). You can allow one or more unsafe sysctls on a node-by-node basics, to do so you need to add --allowed-unsafe-sysctls
flag to the kubelet
.
Look at "Enabling Unsafe Sysctls"
I've created simple example to illustrate you how it works.
First I added --allowed-unsafe-sysctls
flag to the kubelet
.
In my case I use kubeadm
, so I need to add this flag to/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
file:
[Service]Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --allowed-unsafe-sysctls=kernel.sem"...
NOTE: You have to add this flag on every node you want to run Pod with kernel.sem
enabled.
Then I reloaded systemd manager configuration and restarted kubelet
using below command:
# systemctl daemon-reload && systemctl restart kubelet
Next I created a simple Pod
using this manifest file:
apiVersion: v1kind: Podmetadata: labels: run: web name: webspec: securityContext: sysctls: - name: kernel.sem value: "250 32000 100 128" containers: - image: nginx name: web
Finally we can check if it works correctly:
# sysctl -a | grep "kernel.sem"kernel.sem = 32000 1024000000 500 32000 // on the worker node# kubectl get podNAME READY STATUS RESTARTS AGEweb 1/1 Running 0 110s# kubectl exec -it web -- bashroot@web:/# cat /proc/sys/kernel/sem250 32000 100 128 // inside the Pod
Your PodSecurityPolicy
doesn't work as expected, because of as you can see in the documentation:
Warning: If you allow unsafe sysctls via the allowedUnsafeSysctls field in a PodSecurityPolicy, any pod using such a sysctl will fail to start if the sysctl is not allowed via the --allowed-unsafe-sysctls kubelet flag as well on that node.