github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/test
History
Kubernetes Submit Queue 4ddfc4849a Merge pull request #27180 from sttts/sysctl-implementation 
Automatic merge from submit-queue

Add sysctl support

Implementation of proposal https://github.com/kubernetes/kubernetes/pull/26057, feature  https://github.com/kubernetes/features/issues/34

TODO:
- [x] change types.go
- [x] implement docker and rkt support
- [x] add e2e tests
- [x] decide whether we want apiserver validation
- ~~[ ] add documentation~~: api docs exist. Existing PodSecurityContext docs is very light and links back to the api docs anyway: 6684555ed9/docs/user-guide/security-context.md
- [x] change PodSecurityPolicy in types.go
- [x] write admission controller support for PodSecurityPolicy
- [x] write e2e test for PodSecurityPolicy
- [x] make sure we are compatible in the sense of https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api_changes.md
- [x] test e2e with rkt: it only works with kubenet, not with no-op network plugin. The later has no sysctl support.
- ~~[ ] add RunC implementation~~ (~~if that is already in kube,~~ it isn't)
- [x] update whitelist
- [x] switch PSC fields to annotations
- [x] switch PSP fields to annotations
- [x] decide about `--experimental-whitelist-sysctl` flag to be additive or absolute
- [x] decide whether to add a sysctl node whitelist annotation

### Release notes:

```release-note
The pod annotation `security.alpha.kubernetes.io/sysctls` now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range`, `net.ipv4.tcp_max_syn_backlog` and `net.ipv4.tcp_syncookies` for Kubernetes 1.4.

The pod annotation  `security.alpha.kubernetes.io/unsafeSysctls` allows customization of namespaced sysctls where isolation is unclear. Unsafe sysctls must be enabled at-your-own-risk on the kubelet with the `--experimental-allowed-unsafe-sysctls` flag. Future versions will improve on resource isolation and more sysctls will be considered safe.
```
 		2016-08-25 06:21:24 -07:00
..
component/scheduler/perf Fix broken warning image link in docs 2016-07-15 10:44:58 +01:00
e2e Merge pull request #27180 from sttts/sysctl-implementation 2016-08-25 06:21:24 -07:00
e2e_node Merge pull request #31185 from coufon/log_throughput_benchmark 2016-08-25 04:05:20 -07:00
fixtures/pkg/kubectl/cmd add subjectaccessreviews resource 2016-08-05 11:20:56 -04:00
images GCE Cloud provider changes for ESIPP 2016-08-23 16:16:39 -07:00
integration Allow per-resource default garbage collection behavior 2016-08-22 11:37:04 -07:00
kubemark Fix heapster in kubemark 2016-08-22 15:38:02 +02:00
soak Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
utils Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
.gitattributes Add test/test_owners.csv, for automatic assignment of test failures. 2016-07-01 17:39:14 -07:00
OWNERS
test_owners.csv Update test assignments 2016-08-19 18:43:40 -07:00