kubernetes - 将 helm chart 的 sysctl 参数列入白名单

The kernel.sem sysctl is considered as unsafe sysctl, therefore is disabled by default (only safe sysctls are enabled by default). You can allow one or more unsafe sysctls on a node-by-node basics, to do so you need to add --allowed-unsafe-sysctls flag to the kubelet.
Look at "Enabling Unsafe Sysctls"

I've created simple example to illustrate you how it works.

First I added --allowed-unsafe-sysctls flag to the kubelet.
In my case I use kubeadm, so I need to add this flag to /etc/systemd/system/kubelet.service.d/10-kubeadm.conf file:

[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --allowed-unsafe-sysctls=kernel.sem"
...

NOTE: You have to add this flag on every node you want to run Pod with kernel.sem enabled.

Then I reloaded systemd manager configuration and restarted kubelet using below command:

# systemctl daemon-reload && systemctl restart kubelet

Next I created a simple Pod using this manifest file:

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: web
  name: web
spec:
  securityContext:
    sysctls:
    - name: kernel.sem
      value: "250 32000 100 128"
  containers:
  - image: nginx
    name: web

Finally we can check if it works correctly:

# sysctl -a | grep "kernel.sem"
kernel.sem = 32000      1024000000      500     32000 // on the worker node
# kubectl get pod
NAME   READY   STATUS    RESTARTS   AGE
web    1/1     Running   0          110s
# kubectl exec -it web -- bash
root@web:/# cat /proc/sys/kernel/sem
250     32000   100     128 // inside the Pod

Your PodSecurityPolicy doesn't work as expected, because of as you can see in the documentation:

Warning: If you allow unsafe sysctls via the allowedUnsafeSysctls field in a PodSecurityPolicy, any pod using such a sysctl will fail to start if the sysctl is not allowed via the --allowed-unsafe-sysctls kubelet flag as well on that node.