-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sysctl support #34
Comments
Automatic merge from submit-queue Add sysctl support Implementation of proposal #26057, feature kubernetes/enhancements#34 TODO: - [x] change types.go - [x] implement docker and rkt support - [x] add e2e tests - [x] decide whether we want apiserver validation - ~~[ ] add documentation~~: api docs exist. Existing PodSecurityContext docs is very light and links back to the api docs anyway: https://github.com/kubernetes/kubernetes.github.io/blob/6684555ed9e3121388d30e9c49ac6556ef0241e0/docs/user-guide/security-context.md - [x] change PodSecurityPolicy in types.go - [x] write admission controller support for PodSecurityPolicy - [x] write e2e test for PodSecurityPolicy - [x] make sure we are compatible in the sense of https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api_changes.md - [x] test e2e with rkt: it only works with kubenet, not with no-op network plugin. The later has no sysctl support. - ~~[ ] add RunC implementation~~ (~~if that is already in kube,~~ it isn't) - [x] update whitelist - [x] switch PSC fields to annotations - [x] switch PSP fields to annotations - [x] decide about `--experimental-whitelist-sysctl` flag to be additive or absolute - [x] decide whether to add a sysctl node whitelist annotation ### Release notes: ```release-note The pod annotation `security.alpha.kubernetes.io/sysctls` now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range`, `net.ipv4.tcp_max_syn_backlog` and `net.ipv4.tcp_syncookies` for Kubernetes 1.4. The pod annotation `security.alpha.kubernetes.io/unsafeSysctls` allows customization of namespaced sysctls where isolation is unclear. Unsafe sysctls must be enabled at-your-own-risk on the kubelet with the `--experimental-allowed-unsafe-sysctls` flag. Future versions will improve on resource isolation and more sysctls will be considered safe. ```
@kubernetes/docs here are the sysctl docs: kubernetes/website#1126 |
/cc @kubernetes/feature-reviewers |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
There are a number of people using sysctls now. I have not heard any issues with them. I suggest to promote the current API (transformed to native fields in the PSP and on pods) to beta for 1.11. @jeremyeder @vishh @derekwaynecarr @php-coder @kubernetes/sig-node-api-reviews |
Thanks, @sttts! |
@sttts it needs a feature gate. from node side, it would be @sjenning who could help push this in sig-node. will sync w/ @dchen1107 next week. we discussed this briefly in last weeks sig-node. |
@derekwaynecarr in the kubelet not much would change code-wise. But of course we need a "go" from the node team that they think using sysctls is safe enough for beta. Note, that graduation to beta does not say anything about extending the list of safe sysctls.
|
@sttts If so, can you please ensure the feature is up-to-date with the appropriate:
cc @idvoretskyi |
@sttts Do we need to wait until pod annotations become fields or it doesn't block us from graduating it to beta? |
yes, they need to become fields |
@php-coder @liggitt so just to clarify, no work planned for 1.11? |
@justaugustus promotion to beta is discussed in sig-node /cc @derekwaynecarr |
/remove-lifecycle stale |
We may update it. Graduation Criteria:
Some discussion in |
Enhancements Freeze is 2 days away, Feb 9th EOD PST
The KEP looks good. Any enhancements that do not complete the following requirements by the freeze will require an exception. [DONE] EDIT: updated status in place. Thanks for the update @ehashman . |
I will try to get the KEP doc updated today. |
@arunmk this is now good to go for 1.21 |
Thanks @ehashman . I am looking at it now and will update the status in-place. |
Since your Enhancement is scheduled to be in 1.21, please keep in mind the important upcoming dates:
As a reminder, please link all of your k/k PR(s) and k/website PR(s) to this issue so we can track them. Thanks! |
I will work on the flag promotion today:
Read the history implementation and do a summary for this feature:
|
Hi @pacoxu, Enhancements team is currently tracking the following PR With the PR merged, can we mark this enhancement complete for code freeze or do you have other PR(s) that are being worked on as part of the release? Thanks |
@ehashman |
(Adding this as a note sent to all) A friendly reminder that Code freeze is 3 days away, March 9th EOD PST Any enhancements that are NOT code complete by the freeze will be removed from the milestone and will require an exception to be added back. Please also keep in mind that if this enhancement requires new docs or modification to existing docs, you'll need to follow the steps in the Open a placeholder PR doc to open a PR against k/website repo by March 16th EOD PST Thanks! |
Hi @arunmk, There is a PR for the e2es, however those aren't required to merge by code freeze, they will follow the test freeze deadline. Code changes are complete. |
@tengqm I opened kubernetes/website#26981 for tracking. |
Can you update the
Once that merges, we can close out this issue. |
Fine |
…ubernetes#34) * Add feature page for following feature: Istio Authorizatio [Beta] * Update authorization.md Add link to blog: Large Scale Security Policy Performance Tests
Description
This feature aims at extending the current pod specification with support
for namespaced kernel parameters (sysctls) set for each pod.
Scope of work planned for v1.11
Progress Tracker
FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT
More advice:
Design
Coding
and sometimes http://github.com/kubernetes/contrib, or other repos.
check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
testing. They won't do detailed code review: that already happened when your PRs were reviewed.
When that is done, you can check this box and the reviewer will apply the "code-complete" label.
Docs
The text was updated successfully, but these errors were encountered: