• Kubernetes Submit Queue's avatar
    Merge pull request #27180 from sttts/sysctl-implementation · 4ddfc484
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue
    
    Add sysctl support
    
    Implementation of proposal https://github.com/kubernetes/kubernetes/pull/26057, feature  https://github.com/kubernetes/features/issues/34
    
    TODO:
    - [x] change types.go
    - [x] implement docker and rkt support
    - [x] add e2e tests
    - [x] decide whether we want apiserver validation
    - ~~[ ] add documentation~~: api docs exist. Existing PodSecurityContext docs is very light and links back to the api docs anyway: https://github.com/kubernetes/kubernetes.github.io/blob/6684555ed9e3121388d30e9c49ac6556ef0241e0/docs/user-guide/security-context.md
    - [x] change PodSecurityPolicy in types.go
    - [x] write admission controller support for PodSecurityPolicy
    - [x] write e2e test for PodSecurityPolicy
    - [x] make sure we are compatible in the sense of https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api_changes.md
    - [x] test e2e with rkt: it only works with kubenet, not with no-op network plugin. The later has no sysctl support.
    - ~~[ ] add RunC implementation~~ (~~if that is already in kube,~~ it isn't)
    - [x] update whitelist
    - [x] switch PSC fields to annotations
    - [x] switch PSP fields to annotations
    - [x] decide about `--experimental-whitelist-sysctl` flag to be additive or absolute
    - [x] decide whether to add a sysctl node whitelist annotation
    
    ### Release notes:
    
    ```release-note
    The pod annotation `security.alpha.kubernetes.io/sysctls` now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range`, `net.ipv4.tcp_max_syn_backlog` and `net.ipv4.tcp_syncookies` for Kubernetes 1.4.
    
    The pod annotation  `security.alpha.kubernetes.io/unsafeSysctls` allows customization of namespaced sysctls where isolation is unclear. Unsafe sysctls must be enabled at-your-own-risk on the kubelet with the `--experimental-allowed-unsafe-sysctls` flag. Future versions will improve on resource isolation and more sysctls will be considered safe.
    ```
    4ddfc484
Name
Last commit
Last update
..
component/scheduler/perf Loading commit data...
e2e Loading commit data...
e2e_node Loading commit data...
fixtures/pkg/kubectl/cmd Loading commit data...
images Loading commit data...
integration Loading commit data...
kubemark Loading commit data...
soak Loading commit data...
utils Loading commit data...
.gitattributes Loading commit data...
OWNERS Loading commit data...
test_owners.csv Loading commit data...