Add sysctl support

[sttts]

Description

This feature aims at extending the current pod specification with support
for namespaced kernel parameters (sysctls) set for each pod.

Scope of work planned for v1.11

• graduate to beta

Progress Tracker

• Before Alpha
  • Design Approval
    • Design Proposal: Add sysctl proposal kubernetes#26057
    • Initial API review (if API).
      • cc @kubernetes/api
    • Identify shepherd (your SIG lead and/or kubernetes-pm@googlegroups.com will be able to help you). My Shepherd is: @vishh
    • Identify secondary/backup contact point @derekwaynecarr
  • Write (code done + tests done + docs done, ready to be merged) then get them merged. Add sysctl support kubernetes#27180
    • Code needs to be disabled by default. Verified by code OWNERS
    • Minimal testing
    • Minimal docs: Add docs/admin/sysctls.md website#1126
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
      • New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
    • Update release notes
• Before Beta
  • Testing is sufficient for beta
  • User docs with tutorials
    • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
    • cc @kubernetes/docs on docs: Promote sysctls to Beta website#8804
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Thorough API review
    • cc @kubernetes/api
• Before Stable
  • docs/proposals/foo.md moved to docs/design/foo.md
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Soak, load testing
  • detailed user docs and examples
    • cc @kubernetes/docs
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

• Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

• Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
• As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
  and sometimes http://github.com/kubernetes/contrib, or other repos.
• When you are done with the code, apply the "code-complete" label.
• When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
  check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
  testing. They won't do detailed code review: that already happened when your PRs were reviewed.
  When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

• Write user docs and get them merged in.
• User docs go into http://github.com/kubernetes/kubernetes.github.io.
• When the feature has user docs, please add a comment mentioning @kubernetes/docs.
• When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.

[sttts]

@kubernetes/docs here are the sysctl docs: kubernetes/website#1126

[sttts]

/cc @kubernetes/feature-reviewers

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[sttts]

There are a number of people using sysctls now. I have not heard any issues with them.

I suggest to promote the current API (transformed to native fields in the PSP and on pods) to beta for 1.11.

@jeremyeder @vishh @derekwaynecarr @php-coder

@kubernetes/sig-node-api-reviews

[jeremyeder]

Thanks, @sttts!

[derekwaynecarr]

@sttts it needs a feature gate.

from node side, it would be @sjenning who could help push this in sig-node. will sync w/ @dchen1107 next week. we discussed this briefly in last weeks sig-node.

[sttts]

@derekwaynecarr in the kubelet not much would change code-wise. But of course we need a "go" from the node team that they think using sysctls is safe enough for beta. Note, that graduation to beta does not say anything about extending the list of safe sysctls.

It's already feature gated. As beta we would switch the default to true. Doesn't look like we had a feature gate sjenning/kubernetes@f4f7220

[justaugustus]

@sttts
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

• Description
• Milestone
• Assignee(s)
• Labels:
  • stage/{alpha,beta,stable}
  • sig/*
  • kind/feature

cc @idvoretskyi

[php-coder]

@sttts Do we need to wait until pod annotations become fields or it doesn't block us from graduating it to beta?

[liggitt]

@sttts Do we need to wait until pod annotations become fields or it doesn't block us from graduating it to beta?

yes, they need to become fields

[justaugustus]

@php-coder @liggitt so just to clarify, no work planned for 1.11?
Also, would you mind updating the description to fit the new feature description template?

[sttts]

@justaugustus promotion to beta is discussed in sig-node /cc @derekwaynecarr

[sjenning]

/remove-lifecycle stale

[pacoxu]

We may update it.
/remove-lifecycle rotten

Graduation Criteria:

• API changes allowing to configure the pod-scoped sysctl via spec.securityContext field.（cancelled）
• Promote --experimental-allowed-unsafe-sysctls kubelet flag to kubelet config api option
• feature gate enabled by default
• e2e tests promote WIP
• documentation

Some discussion in
https://docs.google.com/document/d/1FbThdQQVNPISNjK4IEqfliuRCA6pLbUiayb3OASOXHA/edit?usp=sharing

[arunmk]

Hi @pacoxu @ehashman

Enhancements Freeze is 2 days away, Feb 9th EOD PST

Enhancements team is aware that KEP update is currently in progress (as per comment). Please make sure to work on PRR questionnaires and requirements and get it merged before the freeze. For PRR related questions or to boost the PR for PRR review, please reach out in slack #prod-readiness

The KEP looks good.

Any enhancements that do not complete the following requirements by the freeze will require an exception.

[DONE] The KEP must be merged in an implementable state: state is currently provisional
[DONE] The KEP must have test plans
[DONE] The KEP must have graduation criteria
[DONE] The KEP must have a production readiness review: needs file under https://github.com/kubernetes/enhancements/tree/master/keps/prod-readiness/sig-node

EDIT: updated status in place. Thanks for the update @ehashman .

[ehashman]

I will try to get the KEP doc updated today.

[ehashman]

@arunmk this is now good to go for 1.21

[arunmk]

Thanks @ehashman . I am looking at it now and will update the status in-place.

[arunmk]

Hi @ehashman, @pacoxu,

Since your Enhancement is scheduled to be in 1.21, please keep in mind the important upcoming dates:

• Tuesday, March 9th: Week 9 - Code Freeze
• Tuesday, March 16th: Week 10 - Docs Placeholder PR deadline
  • If this enhancement requires new docs or modification to existing docs, please follow the steps in the Open a placeholder PR doc to open a PR against k/website repo.

As a reminder, please link all of your k/k PR(s) and k/website PR(s) to this issue so we can track them.

Thanks!

[pacoxu]

I will work on the flag promotion today:

• - Promote --experimental-allowed-unsafe-sysctls kubelet flag to kubelet config api option Done in 1.11(remove experimental) & 1.16(move to kubeadm/kubelet config)
• WIP by @wgahnagl Graduate sysctls to GA  kubernetes#99158 or 【Placeholder】make sure everything done and Promote sysctls to GA version kubernetes#99263 focus on lock feature gate on. (Will be done in 1.21 need to rebase and test fix)
• WIP: Promote e2e to conformance testing Promote sysctls e2e test to Conformance kubernetes#99734
• Check documentations: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Read the history implementation and do a summary for this feature:

1. 1.4 add security.alpha.kubernetes.io/unsafe-sysctls annotation support, move to client-go annotation_key_constants.go in 1.7 , move to pkg/api/ annotation_key_constants.go in 1.8, move to pkg/apis/core/ in 1.9-1.10.
2. 1.11 Promote sysctl annotations to fields kubernetes#63717 Promote sysctl annotations to fields. Add feature gate sysctls, meanwhile, the kubelet "experimental-allowed-unsafe-sysctls" promote to "allowed-unsafe-sysctls".
3. 1.14 Remove Sysctls feature gate from validation kubernetes#72752 Moves feature gate checking of Sysctls out of validation into strategy utility methods, and avoids dropping data on update.
4. 1.16 kubelet: add allowed sysctl to KubeletConfiguration kubernetes#72974 by @sjenning： kubelet: add allowed sysctl to KubeletConfiguration (add support in kubeadm as well)
5. 1.21 GA and lock to true: Graduate sysctls to GA  kubernetes#99158
6. 1.23 Remove the feature gate.

[arunmk]

Hi @pacoxu,

Enhancements team is currently tracking the following PR

• Graduate sysctls to GA  kubernetes#99158

With the PR merged, can we mark this enhancement complete for code freeze or do you have other PR(s) that are being worked on as part of the release?

Thanks

[ehashman]

@arunmk currently @wgahnagl is checking if we need to promote e2e tests to conformance as a result of the GA. There are no other code changes.

I'll see about the documentation changes for GA. @pacoxu do you want to take that on or should I find someone else?

[pacoxu]

@ehashman
I will update sysctls docs next week if no one is working on it.

[arunmk]

Hi @ehashman, @wgahnagl,

Could you mention if there is going to be a PR for the e2e tests? Code freeze is on 3/9 and it should make it by then. If it's not going to come in this KEP can be marked done.

Thanks!

[arunmk]

(Adding this as a note sent to all)

Hi @ehashman @wgahnagl,

A friendly reminder that Code freeze is 3 days away, March 9th EOD PST

Any enhancements that are NOT code complete by the freeze will be removed from the milestone and will require an exception to be added back.

Please also keep in mind that if this enhancement requires new docs or modification to existing docs, you'll need to follow the steps in the Open a placeholder PR doc to open a PR against k/website repo by March 16th EOD PST

Thanks!

[ehashman]

Hi @arunmk,

There is a PR for the e2es, however those aren't required to merge by code freeze, they will follow the test freeze deadline. Code changes are complete.

kubernetes/kubernetes#99734

[tengqm]

@ehashman @pacoxu Please open a placeholder PR in k/website for tracking. Thanks.

[pacoxu]

@tengqm I opened kubernetes/website#26981 for tracking.

[annajung]

Hi @ehashman, @pacoxu

Can you update the kep.yaml to reflect a status of implemented:

enhancements/keps/sig-node/34-sysctl-fields/kep.yaml

Line 19 in 29a891b

status: implementable

Once that merges, we can close out this issue.

[pacoxu]

Fine