From 0c7ce5a7d706613598ae3970504c4551094aee3e Mon Sep 17 00:00:00 2001 From: Seth Jennings Date: Mon, 11 Mar 2019 13:42:56 -0500 Subject: [PATCH] kubelet: add allowed sysctl to KubeletConfiguration --- .../config/testdata/conversion/controlplane/internal.yaml | 1 + .../config/testdata/conversion/controlplane/v1beta1.yaml | 1 + cmd/kubelet/app/options/options.go | 6 +----- pkg/kubelet/apis/config/fuzzer/fuzzer.go | 1 + pkg/kubelet/apis/config/helpers_test.go | 1 + pkg/kubelet/apis/config/types.go | 7 ++++++- .../apis/config/v1beta1/zz_generated.conversion.go | 2 ++ pkg/kubelet/apis/config/zz_generated.deepcopy.go | 5 +++++ staging/src/k8s.io/kubelet/config/v1beta1/types.go | 8 +++++++- .../kubelet/config/v1beta1/zz_generated.deepcopy.go | 5 +++++ 10 files changed, 30 insertions(+), 7 deletions(-) diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/internal.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/internal.yaml index 21a41762eeb..cf36ec18f02 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/internal.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/internal.yaml @@ -71,6 +71,7 @@ ComponentConfigs: SourceVip: "" Kubelet: Address: 1.2.3.4 + AllowedUnsafeSysctls: null Authentication: Anonymous: Enabled: false diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/v1beta1.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/v1beta1.yaml index 118310a2a3b..a2d6e4dac80 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/v1beta1.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/controlplane/v1beta1.yaml @@ -166,3 +166,4 @@ staticPodPath: /etc/kubernetes/manifests streamingConnectionIdleTimeout: 4h0m0s syncFrequency: 1m0s volumeStatsAggPeriod: 1m0s +allowedUnsafeSysctls: [] diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index 8d61426cedf..d260d2df67f 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -126,10 +126,6 @@ type KubeletFlags struct { // Its corresponding flag only gets registered in Windows builds. WindowsService bool - // EXPERIMENTAL FLAGS - // Whitelist of unsafe sysctls or sysctl patterns (ending in *). - // +optional - AllowedUnsafeSysctls []string // containerized should be set to true if kubelet is running in a container. Containerized bool // remoteRuntimeEndpoint is the endpoint of remote runtime service @@ -390,7 +386,6 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) { // EXPERIMENTAL FLAGS fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.") - fs.StringSliceVar(&f.AllowedUnsafeSysctls, "allowed-unsafe-sysctls", f.AllowedUnsafeSysctls, "Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in *). Use these at your own risk. Sysctls feature gate is enabled by default.") fs.BoolVar(&f.ExperimentalKernelMemcgNotification, "experimental-kernel-memcg-notification", f.ExperimentalKernelMemcgNotification, "If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling.") fs.StringVar(&f.RemoteRuntimeEndpoint, "container-runtime-endpoint", f.RemoteRuntimeEndpoint, "[Experimental] The endpoint of remote runtime service. Currently unix socket endpoint is supported on Linux, while npipe and tcp endpoints are supported on windows. Examples:'unix:///var/run/dockershim.sock', 'npipe:////./pipe/dockershim'") fs.StringVar(&f.RemoteImageEndpoint, "image-service-endpoint", f.RemoteImageEndpoint, "[Experimental] The endpoint of remote image service. If not specified, it will be the same with container-runtime-endpoint by default. Currently unix socket endpoint is supported on Linux, while npipe and tcp endpoints are supported on windows. Examples:'unix:///var/run/dockershim.sock', 'npipe:////./pipe/dockershim'") @@ -543,6 +538,7 @@ func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfig.KubeletConfig fs.Int32Var(&c.IPTablesDropBit, "iptables-drop-bit", c.IPTablesDropBit, "The bit of the fwmark space to mark packets for dropping. Must be within the range [0, 31].") fs.StringVar(&c.ContainerLogMaxSize, "container-log-max-size", c.ContainerLogMaxSize, " Set the maximum size (e.g. 10Mi) of container log file before it is rotated. This flag can only be used with --container-runtime=remote.") fs.Int32Var(&c.ContainerLogMaxFiles, "container-log-max-files", c.ContainerLogMaxFiles, " Set the maximum number of container log files that can be present for a container. The number must be >= 2. This flag can only be used with --container-runtime=remote.") + fs.StringSliceVar(&c.AllowedUnsafeSysctls, "allowed-unsafe-sysctls", c.AllowedUnsafeSysctls, "Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in *). Use these at your own risk.") // Flags intended for testing, not recommended used in production environments. fs.Int64Var(&c.MaxOpenFiles, "max-open-files", c.MaxOpenFiles, "Number of files that can be opened by Kubelet process.") diff --git a/pkg/kubelet/apis/config/fuzzer/fuzzer.go b/pkg/kubelet/apis/config/fuzzer/fuzzer.go index 4efd0f45afd..0384107cb3f 100644 --- a/pkg/kubelet/apis/config/fuzzer/fuzzer.go +++ b/pkg/kubelet/apis/config/fuzzer/fuzzer.go @@ -94,6 +94,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.ContainerLogMaxFiles = 5 obj.ContainerLogMaxSize = "10Mi" obj.ConfigMapAndSecretChangeDetectionStrategy = "Watch" + obj.AllowedUnsafeSysctls = []string{} }, } } diff --git a/pkg/kubelet/apis/config/helpers_test.go b/pkg/kubelet/apis/config/helpers_test.go index 0ba6dad1a5b..76e71c74938 100644 --- a/pkg/kubelet/apis/config/helpers_test.go +++ b/pkg/kubelet/apis/config/helpers_test.go @@ -138,6 +138,7 @@ var ( // KubeletConfiguration fields that do not contain file paths. kubeletConfigurationNonPathFieldPaths = sets.NewString( "Address", + "AllowedUnsafeSysctls[*]", "Authentication.Anonymous.Enabled", "Authentication.Webhook.CacheTTL.Duration", "Authentication.Webhook.Enabled", diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go index cfbf6e67bfa..e7d12ec3069 100644 --- a/pkg/kubelet/apis/config/types.go +++ b/pkg/kubelet/apis/config/types.go @@ -17,7 +17,7 @@ limitations under the License. package config import ( - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -288,6 +288,11 @@ type KubeletConfiguration struct { ContainerLogMaxFiles int32 // ConfigMapAndSecretChangeDetectionStrategy is a mode in which config map and secret managers are running. ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy + // A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in *). + // Unsafe sysctl groups are kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*. + // These sysctls are namespaced but not allowed by default. For example: "kernel.msg*,net.ipv4.route.min_pmtu" + // +optional + AllowedUnsafeSysctls []string /* the following fields are meant for Node Allocatable */ diff --git a/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go b/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go index b264f2423b2..b2bbe42b3c2 100644 --- a/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go +++ b/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go @@ -328,6 +328,7 @@ func autoConvert_v1beta1_KubeletConfiguration_To_config_KubeletConfiguration(in out.SystemReservedCgroup = in.SystemReservedCgroup out.KubeReservedCgroup = in.KubeReservedCgroup out.EnforceNodeAllocatable = *(*[]string)(unsafe.Pointer(&in.EnforceNodeAllocatable)) + out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) return nil } @@ -453,6 +454,7 @@ func autoConvert_config_KubeletConfiguration_To_v1beta1_KubeletConfiguration(in return err } out.ConfigMapAndSecretChangeDetectionStrategy = v1beta1.ResourceChangeDetectionStrategy(in.ConfigMapAndSecretChangeDetectionStrategy) + out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) out.SystemReserved = *(*map[string]string)(unsafe.Pointer(&in.SystemReserved)) out.KubeReserved = *(*map[string]string)(unsafe.Pointer(&in.KubeReserved)) out.SystemReservedCgroup = in.SystemReservedCgroup diff --git a/pkg/kubelet/apis/config/zz_generated.deepcopy.go b/pkg/kubelet/apis/config/zz_generated.deepcopy.go index 1644f968c56..35acde4a0d6 100644 --- a/pkg/kubelet/apis/config/zz_generated.deepcopy.go +++ b/pkg/kubelet/apis/config/zz_generated.deepcopy.go @@ -161,6 +161,11 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { (*out)[key] = val } } + if in.AllowedUnsafeSysctls != nil { + in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.SystemReserved != nil { in, out := &in.SystemReserved, &out.SystemReserved *out = make(map[string]string, len(*in)) diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go index d32640939bf..54e166f7685 100644 --- a/staging/src/k8s.io/kubelet/config/v1beta1/types.go +++ b/staging/src/k8s.io/kubelet/config/v1beta1/types.go @@ -17,7 +17,7 @@ limitations under the License. package v1beta1 import ( - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -718,6 +718,12 @@ type KubeletConfiguration struct { // Default: ["pods"] // +optional EnforceNodeAllocatable []string `json:"enforceNodeAllocatable,omitempty"` + // A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in *). + // Unsafe sysctl groups are kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*. + // These sysctls are namespaced but not allowed by default. For example: "kernel.msg*,net.ipv4.route.min_pmtu" + // Default: [] + // +optional + AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"` } type KubeletAuthorizationMode string diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go index a924fac2ec3..c1dc1d5f56f 100644 --- a/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go @@ -280,6 +280,11 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AllowedUnsafeSysctls != nil { + in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } return }