Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mark net.ipv4.tcp_keepalive_time as a safe sysctl #118846

Merged
merged 2 commits into from
Oct 13, 2023
Merged

Mark net.ipv4.tcp_keepalive_time as a safe sysctl #118846

merged 2 commits into from
Oct 13, 2023

Conversation

cyclinder
Copy link
Contributor

@cyclinder cyclinder commented Jun 24, 2023
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Mark net.ipv4.tcp_keepalive_time as a safe sysctl.

Which issue(s) this PR fixes:

Fixes #117873

Special notes for your reviewer:

    securityContext:
      sysctls:
      - name: net.ipv4.tcp_keepalive_time
        value: 7200

Does this PR introduce a user-facing change?

kubelet allows pods to use the `net.ipv4.tcp_keepalive_time` sysctl by default and the minimal kernel version is 4.5; Pod Security admission allows this sysctl in v1.29+ versions of the baseline and restricted policies.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 24, 2023
@cyclinder
Copy link
Contributor Author

/sig network node

@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. area/kubelet sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 24, 2023
@cyclinder cyclinder force-pushed the net.ipv4.tcp_keepalive_time branch from 425a9ab to 8d28994 Compare June 24, 2023 10:29
@cyclinder
Copy link
Contributor Author

/cc @pacoxu @bobbypage

@pacoxu
Copy link
Member

pacoxu commented Jun 24, 2023

/priority important-soon
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 24, 2023
@pacoxu
Copy link
Member

pacoxu commented Jun 25, 2023

The sysctl-allow change in kubelet
/lgtm

A website update is needed for v1.28 at https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 25, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: d008686f961ebf04314b3fdd7cc874ef77ec7324

danwinship
danwinship reviewed Jun 27, 2023
View reviewed changes
Copy link
Contributor

@danwinship danwinship left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe the generated stuff should be a separate commit?

pkg/kubelet/sysctl/safe_sysctls.go Outdated Show resolved Hide resolved
pkg/kubelet/sysctl/safe_sysctls.go Outdated Show resolved Hide resolved
pkg/kubelet/sysctl/safe_sysctls.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 28, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: dccd696ac98b41bfc2fda327cb79135b87be9fb6

@cyclinder cyclinder mentioned this pull request Oct 9, 2023
Merged
@cyclinder
Copy link
Contributor Author

/cc @danwinship

danwinship
danwinship approved these changes Oct 10, 2023
View reviewed changes
pkg/kubelet/sysctl/safe_sysctls.go Outdated
if kernelVersion != nil && kernelVersion.AtLeast(version.MustParseGeneric(sc.kernel)) {
safeSysctlAllowlist = append(safeSysctlAllowlist, sc.name)
} else {
klog.ErrorS(nil, "drop the sysctl from safe sysctl list", "sysctl", sc.name, "kernelVersion", kernelVersion)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, I like the old error message better. Let's merge them together:

klog.ErrorS(nil, "Kernel version is too old, dropping sysctl from safe sysctl list", "kernelVersion", kernelVersion, "sysctl", sc.name)

Copy link
Contributor Author

@cyclinder cyclinder Oct 11, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, This is not necessarily because the kernel version is too old, it may also be because the kernel version cannot be obtained...

@danwinship
Copy link
Contributor

I'll re-lgtm and assign to Tim after you update the error message

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 11, 2023
@danwinship
Copy link
Contributor

/lgtm
/assign @thockin

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 11, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 86e2df8f6849fffabc4b5161fbe7ae1ee20d9a3a

thockin
thockin reviewed Oct 12, 2023
View reviewed changes
pkg/kubelet/sysctl/safe_sysctls.go Outdated Show resolved Hide resolved
pkg/kubelet/sysctl/safe_sysctls.go Outdated Show resolved Hide resolved
pkg/kubelet/sysctl/safe_sysctls.go Show resolved Hide resolved
pkg/kubelet/sysctl/safe_sysctls.go
if kernelVersion != nil && kernelVersion.AtLeast(version.MustParseGeneric(sc.kernel)) {
safeSysctlAllowlist = append(safeSysctlAllowlist, sc.name)
} else {
klog.ErrorS(nil, "kernel version is too small, dropping the sysctl from safe sysctl list", "kernelVersion", kernelVersion, "sysctl", sc.name)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super-nit - I would make this Info, not error :)

@thockin
Copy link
Member

thockin commented Oct 12, 2023

Whoah, old comments I never sent and could not see! Thanks github, I appreicate that.

/lgtm
/lapprove

log nit can be a followup

@SergeyKanzhelev
Copy link
Member

/lapprove

@thockin I think you meant approve

@dims
Copy link
Member

dims commented Oct 13, 2023

/approve

as @thockin clearly meant it :)

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cyclinder, danwinship, dims, pacoxu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 13, 2023
@k8s-ci-robot k8s-ci-robot merged commit a7f8c2f into kubernetes:master Oct 13, 2023
13 of 14 checks passed
SIG Node PR Triage automation moved this from Needs Reviewer to Done Oct 13, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 13, 2023
@cyclinder cyclinder mentioned this pull request Oct 13, 2023
Merged
@pacoxu pacoxu mentioned this pull request Dec 5, 2023
Merged
@mauri870 mauri870 mentioned this pull request Jun 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thockin thockin thockin left review comments

@aojea aojea aojea left review comments

@danwinship danwinship danwinship approved these changes

@deads2k deads2k Awaiting requested review from deads2k

@wzshiming wzshiming Awaiting requested review from wzshiming

@bobbypage bobbypage Awaiting requested review from bobbypage

@HirazawaUi HirazawaUi Awaiting requested review from HirazawaUi

@mrunalp mrunalp Awaiting requested review from mrunalp

@pacoxu pacoxu Awaiting requested review from pacoxu

@SergeyKanzhelev SergeyKanzhelev Awaiting requested review from SergeyKanzhelev

Assignees

@mrunalp mrunalp

@danwinship danwinship

@pacoxu pacoxu

@thockin thockin

@SergeyKanzhelev SergeyKanzhelev

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Node PR Triage
Archived in project
SIG Node PR Triage
Done
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

Make net.ipv4.tcp_keepalive_time a safe sysctl