Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

safe-sysctl: skip checking for windows #116792

Merged
merged 1 commit into from Mar 22, 2023
Merged

safe-sysctl: skip checking for windows #116792

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
49 changes: 32 additions & 17 deletions pkg/kubelet/sysctl/safe_sysctls.go
View file
Open in desktop
Expand Up @@ -17,11 +17,15 @@ limitations under the License.
package sysctl

import (
"fmt"
goruntime "runtime"

"k8s.io/apimachinery/pkg/util/version"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/proxy/ipvs"
)

// refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934.
const ipLocalReservedPortsMinNamespacedKernelVersion = "3.16"

var safeSysctls = []string{
Expand All @@ -32,33 +36,44 @@ var safeSysctls = []string{
"net.ipv4.ip_unprivileged_port_start",
}

var safeSysctlsIncludeReservedPorts = []string{
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.ip_local_reserved_ports",
}

// SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *).
//
// A sysctl is called safe iff
// - it is namespaced in the container or the pod
// - it is isolated, i.e. has no influence on any other pod on the same node.
func SafeSysctlAllowlist() []string {
if goruntime.GOOS == "linux" {
// make sure we're on a new enough kernel that the ip_local_reserved_ports sysctl is namespaced
kernelVersion, err := getKernelVersion()
if err != nil {
klog.ErrorS(err, "Failed to get kernel version, dropping net.ipv4.ip_local_reserved_ports from safe sysctl list")
return safeSysctls
}
if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) {
klog.ErrorS(nil, "Kernel version is too old, dropping net.ipv4.ip_local_reserved_ports from safe sysctl list", "kernelVersion", kernelVersion)
return safeSysctls
}
}
return safeSysctlsIncludeReservedPorts
}

func getKernelVersion() (*version.Version, error) {
kernelVersionStr, err := ipvs.NewLinuxKernelHandler().GetKernelVersion()
if err != nil {
klog.ErrorS(err, "Failed to get kernel version.")
return safeSysctls
return nil, fmt.Errorf("failed to get kernel version: %w", err)
}
kernelVersion, err := version.ParseGeneric(kernelVersionStr)
if err != nil {
klog.ErrorS(err, "Failed to parse kernel version.")
return safeSysctls
}
// ip_local_reserved_ports has been changed to namesapced since kernel v3.16.
// refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934.
if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) {
return safeSysctls
}
return []string{
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.ip_local_reserved_ports",
return nil, fmt.Errorf("failed to parse kernel version: %w", err)
}
return kernelVersion, nil
}