Skip to content

Instantly share code, notes, and snippets.

@rjhowe

rjhowe/unsafesysctl.md

Last active February 2, 2024 16:24
Show Gist options
  • Save rjhowe/51a1c2288576bc2d7895741830906775 to your computer and use it in GitHub Desktop.
Save rjhowe/51a1c2288576bc2d7895741830906775 to your computer and use it in GitHub Desktop.
Download ZIP
Unsafe sysctl pod level
Raw
unsafesysctl.md

  1. Allow unsafesysctls to be run on node: https://docs.openshift.com/container-platform/4.12/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using

    • If setting for all workers the workers, set label on worker mcp
    # oc label mcp worker custom-kubelet=sysctl
    • Create a kubeletconfig
    apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
  name: custom-kubelet
spec:
  machineConfigPoolSelector:
    matchLabels:
      custom-kubelet: sysctl           
  kubeletConfig:
    allowedUnsafeSysctls: 
      - "net.ipv4.tcp_tw_reuse"

  2. Allow the sysctl to be used by the service account. This involves creating a custom scc adding which sysctl you wish to allow under allowedUnsafeSysctls

    • Create custom scc, this one is copied from restricted-v2
    allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedUnsafeSysctls: 
    - "net.ipv4.tcp_tw_reuse"
allowedCapabilities:
- NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: sysctl-restricted-v2
 priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
    • Allow the service account to use this new scc, the service account in my example is just default
    # oc adm policy add-scc-to-user sysctl-restricted-v2 -n MY_PROJECT -z default

  3. Setting the sysctl via the pod/deployment/statfuleset once enabled https://docs.openshift.com/container-platform/4.12/nodes/containers/nodes-containers-sysctls.html#nodes-containers-starting-pod-with-unsafe-sysctls_nodes-containers-using

    • On deployment set: deployment.spec.template.spec.securityContext.sysctls
    • On stateful set: statefulset.spec.template.spec.securityContext.sysctls
    spec:
  template:
    spec:
      securityContext:
        sysctls:
        - name: net.ipv4.tcp_tw_reuse
          value: "1"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment