Kubernetes Kops - set sysctl flag on kubelet

Question

We need to enable some sysctl parameters in kubernetes. This should be achievable with the below annotation in the Deployment.

annotations:
  security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.ip_local_port_range="10240 65535"

When doing so the container fails to start with the error:

Warning  FailedCreatePodSandBox  8s (x12 over 19s)  kubelet, <node>  Failed create pod sandbox.

The solution looks to be to add this flag to the kublet:

--experimental-allowed-unsafe-sysctls

Which for other flags can be done under kubelet in

kops edit cluster

Does anyone know the correct way to do this as it refuses to pick up the setting when entering the flag there.

Thanks, Alex

score 2 · Answer 1 · answered Jul 24 '18 at 23:00

2

A fix for this was merged back in May, you can see the PR here: https://github.com/kubernetes/kops/pull/5104/files

You'd enable it with:

spec:
  kubelet:
    ExperimentalAllowedUnsafeSysctls:
      - 'net.ipv4.ip_local_port_range="10240 65535"'

It seems the flag takes a stringSlice, so you'd need to pass an array.

If that doesn't work, ensure you're using the right version of kops

answered Jul 24 '18 at 23:00

jaxxstorm

12,422
5
57
67

Kops responds with *Found fields that are not recognized* for ExperimentalAllowedUnsafeSysctls. I have tried with kops versions 1.9.2 and 1.10. Running kubernetes 1.9.6. – the_frank Jul 25 '18 at 11:12

score 0 · Accepted Answer · edited May 19 '20 at 09:32

As of 2020-05-18, the proper config is, for example:

  kubelet:                                                                                                                             
    allowedUnsafeSysctls:                                                                                                              
    - net.ipv4.ip_local_port_range="10240 65535"

In general, all KOPS config must be camelCased.

From here, KOPS 1.16.2+

Kubernetes Kops - set sysctl flag on kubelet

2 Answers2