Promote sysctls to Beta

kubernetes · May 29, 2018 · 025c86b · 025c86b
1 parent 83d9cef
commit 025c86b
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 15 deletions.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -86,6 +86,7 @@ different Kubernetes components.
 | `SupportIPVSProxyMode` | `false` | Beta | 1.9 | 1.9 |
 | `SupportIPVSProxyMode` | `true` | Beta | 1.10 | |
 | `SupportPodPidsLimit` | `false` | Alpha | 1.10 | |
+| `Sysctls` | `true` | `Beta` | 1.11 | |
 | `TaintBasedEvictions` | `false` | Alpha | 1.6 | |
 | `TaintNodesByCondition` | `false` | Alpha | 1.8 | |
 | `TokenRequest` | `false` | Alpha | 1.10 | |
@@ -211,6 +212,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `SupportIPVSProxyMode`: Enable providing in-cluster service load balancing using IPVS.
   See [service proxies](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies) for more details.
 - `SupportPodPidsLimit`: Enable the support to limiting PIDs in Pods.
+- `Sysctls`: Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in `*`)
 - `TaintBasedEvictions`: Enable evicting pods from nodes based on taints on nodes and tolerations on Pods.
   See [taints and tolerations](/docs/concepts/configuration/taint-and-toleration/) for more details.
 - `TaintNodesByCondition`: Enable automatic tainting nodes based on [node conditions](/docs/concepts/architecture/nodes/#condition).

diff --git a/content/en/docs/tasks/administer-cluster/sysctl-cluster.md b/content/en/docs/tasks/administer-cluster/sysctl-cluster.md
@@ -74,7 +74,7 @@ application tuning. _Unsafe_ sysctls are enabled on a node-by-node basis with a
 flag of the kubelet, e.g.:
 
 ```shell
-$ kubelet --experimental-allowed-unsafe-sysctls \
+$ kubelet --allowed-unsafe-sysctls \
   'kernel.msg*,net.ipv4.route.min_pmtu' ...
 ```
 
@@ -105,20 +105,25 @@ manually by the cluster admin, either by means of the underlying Linux
 distribution of the nodes (e.g. via `/etc/sysctls.conf`) or using a DaemonSet
 with privileged containers.
 
-The sysctl feature is an alpha API. Therefore, sysctls are set using annotations
+The sysctl feature is a beta API. The sysctls are set through pod security context
 on pods. They apply to all containers in the same pod.
 
-Here is an example, with different annotations for _safe_ and _unsafe_ sysctls:
+Here is an example, (notice there is no distinction between _safe_ and _unsafe_ sysctls in the spec):
 
 ```yaml
 apiVersion: v1
 kind: Pod
 metadata:
   name: sysctl-example
-  annotations:
-    security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1
-    security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.route.min_pmtu=1000,kernel.msgmax=1 2 3
 spec:
+  securityContext:
+    sysctls:
+    - name: kernel.shm_rmid_forced
+      value: 1
+    - name: net.ipv4.route.min_pmtu
+      value: 1000,
+    - name: kernel.msgmax
+      value: 1 2 3
   ...
 ```
 {{% /capture %}}
@@ -143,13 +148,22 @@ is recommended to use
 [taints on nodes](/docs/concepts/configuration/taint-and-toleration/)
 to schedule those pods onto the right nodes.
 
-## PodSecurityPolicy Annotations
+## PodSecurityPolicy
 
-The use of sysctl in pods can be controlled via annotation on the PodSecurityPolicy.
+The use of sysctl in pods can be controlled through `allowedUnsafeSysctls` and
+`forbiddenSysctls` fields on the PodSecurityPolicy.
 
-Sysctl annotation represents a whitelist of allowed safe and unsafe sysctls
-in a pod spec. It's a comma-separated list of plain sysctl names or sysctl patterns
-(which end in `*`). The string `*` matches all sysctls.
+By default, all safe sysctls are allowed. Currently, the whitelist of safe sysctls corresponds to:
+
+* `kernel.shm_rmid_forced`
+* `net.ipv4.ip_local_port_range`
+* `net.ipv4.tcp_syncookies`
+
+Both `allowedUnsafeSysctls` and `forbiddenSysctls` are lists of plain sysctl names
+or sysctl patterns (which end in `*`). The string `*` matches all sysctls.
+
+The `allowedUnsafeSysctls` field excludes sysctls from the whitelist (`*` means no safe sysctls allowed).
+Any sysctl specified by the `forbiddenSysctls` is on the other hand allowed (`*` means all unsafe sysctls allowed).
 
 Here is an example, it authorizes binding user creating pod with corresponding sysctls.
 
@@ -158,12 +172,12 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: sysctl-psp
-  annotations:
-    security.alpha.kubernetes.io/sysctls: 'net.ipv4.route.*,kernel.msg*'
 spec:
+  allowedUnsafeSysctls:
+  - kernel.msg*
+  forbiddenSysctls:
+  - kernel.shm_rmid_forced
  ...
 ```
 
 {{% /capture %}}
-
-