kubernetes - 将 helm chart 的 sysctl 参数列入白名单
问题描述
我有一个部署应用程序的舵图,但还需要重新配置一些 sysctl 参数才能正常运行。当我安装 helm chart 并kubectl describe pod/pod_name
在已部署的 pod 上运行时,我得到forbidden sysctl: "kernel.sem" not whitelisted
. 我已经像这样添加了一个 podsecuritypolicy,但没有这样的运气。
apiVersion:policy/v1beta1
kind:PodSecurityPolicy
metadata:
name: policy
spec:
allowedUnsafeSysctls:
- kernel.sem
- kernel.shmmax
- kernel.shmall
- fs.mqueue.msg_max
seLinux:
rule: 'RunAsAny'
runAsUser:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule:'RunAsAny'
---更新---我也尝试通过配置文件设置 kubelet 参数以允许不安全 ctls 但我收到错误没有为版本“kubelet.config.k8s.io/注册”类型“KubeletConfiguration” v1beta1”。这是配置文件:
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
allowedUnsafeSysctls:
- "kernel.sem"
- "kernel.shmmax"
- "kernel.shmall"
- "fs.mqueue.msg_max"
解决方案
The kernel.sem
sysctl is considered as unsafe sysctl, therefore is disabled by default (only safe sysctls are enabled by default). You can allow one or more unsafe sysctls on a node-by-node basics, to do so you need to add --allowed-unsafe-sysctls
flag to the kubelet
.
Look at "Enabling Unsafe Sysctls"
I've created simple example to illustrate you how it works.
First I added --allowed-unsafe-sysctls
flag to the kubelet
.
In my case I use kubeadm
, so I need to add this flag to
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
file:
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --allowed-unsafe-sysctls=kernel.sem"
...
NOTE: You have to add this flag on every node you want to run Pod with kernel.sem
enabled.
Then I reloaded systemd manager configuration and restarted kubelet
using below command:
# systemctl daemon-reload && systemctl restart kubelet
Next I created a simple Pod
using this manifest file:
apiVersion: v1
kind: Pod
metadata:
labels:
run: web
name: web
spec:
securityContext:
sysctls:
- name: kernel.sem
value: "250 32000 100 128"
containers:
- image: nginx
name: web
Finally we can check if it works correctly:
# sysctl -a | grep "kernel.sem"
kernel.sem = 32000 1024000000 500 32000 // on the worker node
# kubectl get pod
NAME READY STATUS RESTARTS AGE
web 1/1 Running 0 110s
# kubectl exec -it web -- bash
root@web:/# cat /proc/sys/kernel/sem
250 32000 100 128 // inside the Pod
Your PodSecurityPolicy
doesn't work as expected, because of as you can see in the documentation:
Warning: If you allow unsafe sysctls via the allowedUnsafeSysctls field in a PodSecurityPolicy, any pod using such a sysctl will fail to start if the sysctl is not allowed via the --allowed-unsafe-sysctls kubelet flag as well on that node.
推荐阅读
- javascript - How to merge two objects with Math operation for the same properties in Javascript
- firebase - 调用方法 OnPressed 异常
- mysql - 尝试选择 X 行且此 X 行不存在时的 MYSQL 错误
- angular - 如何过滤可观察的?
- windows - explorer.exe as the parent process in windows
- scala - Scala - 在原始字符串插值正则表达式中转义美元符号
- regex - How to replace partial groups in python regex?
- html - HTML/CSS:不知道如何在盒子里设置分隔线
- python - 在 Python 3 中,如何将浮点数四舍五入到某个小数位?
- javascript - react和chartist的参考问题