Kubernetes practical technique: setting kernel parameters for pod

This article excerpts from kubernetes Learning notes

summary

This article is introduced as Pod Several ways to set kernel parameters .

stay securityContext It is specified in sysctls

since k8s 1.12 rise ,sysctls characteristic beta And it turns on by default , Allow users to pod Of securityContext Setting kernel parameters in , Usage examples :

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"
    - name: net.core.somaxconn
      value: "1024"
  ...

But using this method , By default, some people think it is unsafe The parameter of cannot be changed , It needs to be configured to kubelet Of --allowed-unsafe-sysctls Medium .

Use initContainers

If you want to make setting kernel parameters easier and more general , Can be in initContainer Set in , But this request is for initContainer open privileged jurisdiction . Example :

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example-init
spec:
  initContainers:
  - image: busybox
    command:
    - sh
    - -c
    - |
      sysctl -w net.core.somaxconn=65535
      sysctl -w net.ipv4.ip_local_port_range="1024 65535"
      sysctl -w net.ipv4.tcp_tw_reuse=1
      sysctl -w fs.file-max=1048576
    imagePullPolicy: Always
    name: setsysctl
    securityContext:
      privileged: true
  containers:
  ...

Use tuning CNI Unified plug-in settings sysctl

If you want for all Pod Uniformly configure some kernel parameters , have access to tuning This CNI Plug in to do :

{
  "name": "mytuning",
  "type": "tuning",
  "sysctl": {
          "net.core.somaxconn": "500",
          "net.ipv4.tcp_tw_reuse": "1"
  }
}

Reference material

• Using sysctls in a Kubernetes Cluster
• tuning The plugin documentation