From 9a34eeed0f898ac883c272e42436007aa5cd2371 Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <sttts@redhat.com>
Date: Mon, 5 Sep 2016 13:04:16 +0200
Subject: [PATCH] Remove net.ipv4.tcp_max_syn_backlog from sysctl whitelist

This is not namespaced in today's kernels.
---
 CHANGELOG.md                    | 2 +-
 pkg/kubelet/sysctl/whitelist.go | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4fbec987bd..cae783b636 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -199,7 +199,7 @@ binary | sha256 hash
 ### Other notable changes
 
 * rkt: Improve support for privileged pod (pod whose all containers are privileged)  ([#31286](https://github.com/kubernetes/kubernetes/pull/31286), [@yifan-gu](https://github.com/yifan-gu))
-* The pod annotation `security.alpha.kubernetes.io/sysctls` now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range`, `net.ipv4.tcp_max_syn_backlog` and `net.ipv4.tcp_syncookies` for Kubernetes 1.4. ([#27180](https://github.com/kubernetes/kubernetes/pull/27180), [@sttts](https://github.com/sttts))
+* The pod annotation `security.alpha.kubernetes.io/sysctls` now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range` and `net.ipv4.tcp_syncookies` for Kubernetes 1.4. ([#27180](https://github.com/kubernetes/kubernetes/pull/27180), [@sttts](https://github.com/sttts))
     * The pod annotation  `security.alpha.kubernetes.io/unsafe-sysctls` allows customization of namespaced sysctls where isolation is unclear. Unsafe sysctls must be enabled at-your-own-risk on the kubelet with the `--experimental-allowed-unsafe-sysctls` flag. Future versions will improve on resource isolation and more sysctls will be considered safe.
 * Increase request timeout based on termination grace period ([#31275](https://github.com/kubernetes/kubernetes/pull/31275), [@dims](https://github.com/dims))
 * Fixed two issues of kubectl bash completion. ([#31135](https://github.com/kubernetes/kubernetes/pull/31135), [@xingzhou](https://github.com/xingzhou))
diff --git a/pkg/kubelet/sysctl/whitelist.go b/pkg/kubelet/sysctl/whitelist.go
index 5b123312e3..5a5b608d91 100644
--- a/pkg/kubelet/sysctl/whitelist.go
+++ b/pkg/kubelet/sysctl/whitelist.go
@@ -40,7 +40,6 @@ func SafeSysctlWhitelist() []string {
 	return []string{
 		"kernel.shm_rmid_forced",
 		"net.ipv4.ip_local_port_range",
-		"net.ipv4.tcp_max_syn_backlog",
 		"net.ipv4.tcp_syncookies",
 	}
 }