Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 3.3.1 relnotes for schedulejobs/sysctls #3144

Merged
merged 1 commit into from Nov 2, 2016
Merged

Update 3.3.1 relnotes for schedulejobs/sysctls #3144

merged 1 commit into from Nov 2, 2016

Conversation

adellape
Copy link
Contributor

@adellape adellape commented Nov 1, 2016

@adellape adellape added this to the Next Release milestone Nov 1, 2016
@ncdc
Copy link

ncdc commented Nov 1, 2016

We need to add a note that net.ipv4.tcp_syncookies is not namespaced in the RHEL kernel yet. See https://bugzilla.redhat.com/show_bug.cgi?id=1373119#c9 for more details.

sttts
sttts reviewed Nov 1, 2016
View reviewed changes
release_notes/ocp_3_3_release_notes.adoc
security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1
----

Sysctls that are namespaced are considered _safe_ and supported. Sysctls that
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Sysctls that are namespaced are considered safe and supported." is wrong. Only a small subset of namespaced sysctls are safe to be used in a container environment, namely those which cannot be misused to influence other containers, e.g. by blocking resources like memory outside of the pods' defined memory limits. A rule of thumb: if an exposed sysctl is a security threat in a multi-tenant environment, it is not considered safe.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For reference, the kube 1.4.0 release note line:

Pods now have alpha support for setting whitelisted, safe sysctls. Unsafe sysctls can be whitelisted on the kubelet.

@adellape
Copy link
Contributor Author

adellape commented Nov 2, 2016

@ncdc @sttts Updated per comments.

@adellape adellape merged commit 7bcde6b into openshift:master Nov 2, 2016
@adellape adellape modified the milestones: OCP 3.3.1 GA, Next Release Nov 2, 2016
@adellape adellape mentioned this pull request Nov 2, 2016
Merged
@adellape adellape deleted the 331enhancements branch November 9, 2017 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

Assignees
No one assigned
Labels
branch/enterprise-3.3
Projects
None yet
Milestone
OCP 3.3.1 GA
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@adellape @ncdc @sttts