diff --git a/pkg/kubelet/sysctl/safe_sysctls.go b/pkg/kubelet/sysctl/safe_sysctls.go index 615d1176883..bc7f451fa1a 100644 --- a/pkg/kubelet/sysctl/safe_sysctls.go +++ b/pkg/kubelet/sysctl/safe_sysctls.go @@ -51,6 +51,20 @@ var safeSysctls = []sysctl{ name: "net.ipv4.tcp_keepalive_time", // refer to https://github.com/torvalds/linux/commit/13b287e8d1cad951634389f85b8c9b816bd3bb1e. kernel: "4.5", + }, { + // refer to https://github.com/torvalds/linux/commit/1e579caa18b96f9eb18f4f5416658cd15f37c062. + name: "net.ipv4.tcp_fin_timeout", + kernel: "4.6", + }, + { + // refer to https://github.com/torvalds/linux/commit/b840d15d39128d08ed4486085e5507d2617b9ae1. + name: "net.ipv4.tcp_keepalive_intvl", + kernel: "4.5", + }, + { + // refer to https://github.com/torvalds/linux/commit/9bd6861bd4326e3afd3f14a9ec8a723771fb20bb. + name: "net.ipv4.tcp_keepalive_probes", + kernel: "4.5", }, } diff --git a/pkg/kubelet/sysctl/safe_sysctls_test.go b/pkg/kubelet/sysctl/safe_sysctls_test.go index 77ab07a70eb..2fef48157d7 100644 --- a/pkg/kubelet/sysctl/safe_sysctls_test.go +++ b/pkg/kubelet/sysctl/safe_sysctls_test.go @@ -59,7 +59,7 @@ func Test_getSafeSysctlAllowlist(t *testing.T) { }, }, { - name: "kernelVersion is 5.15.0, return safeSysctls with no kernelVersion limit and net.ipv4.ip_local_reserved_ports and net.ipv4.tcp_keepalive_time", + name: "kernelVersion is 5.15.0, return safeSysctls with no kernelVersion limit and kernelVersion below 5.15.0", getVersion: func() (*version.Version, error) { kernelVersionStr := "5.15.0-75-generic" return version.ParseGeneric(kernelVersionStr) @@ -72,6 +72,9 @@ func Test_getSafeSysctlAllowlist(t *testing.T) { "net.ipv4.ip_unprivileged_port_start", "net.ipv4.ip_local_reserved_ports", "net.ipv4.tcp_keepalive_time", + "net.ipv4.tcp_fin_timeout", + "net.ipv4.tcp_keepalive_intvl", + "net.ipv4.tcp_keepalive_probes", }, }, } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go index e8ebcc92cfb..78950c3b70b 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go @@ -44,6 +44,9 @@ spec.securityContext.sysctls[*].name 'net.ipv4.ip_unprivileged_port_start' 'net.ipv4.ip_local_reserved_ports' 'net.ipv4.tcp_keepalive_time' +'net.ipv4.tcp_fin_timeout' +'net.ipv4.tcp_keepalive_intvl' +'net.ipv4.tcp_keepalive_probes' */ @@ -97,6 +100,9 @@ var ( "net.ipv4.ip_unprivileged_port_start", "net.ipv4.ip_local_reserved_ports", "net.ipv4.tcp_keepalive_time", + "net.ipv4.tcp_fin_timeout", + "net.ipv4.tcp_keepalive_intvl", + "net.ipv4.tcp_keepalive_probes", ) ) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go index 101c9894466..b09af170a38 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go @@ -63,6 +63,39 @@ func TestSysctls(t *testing.T) { expectReason: `forbidden sysctls`, expectDetail: `net.ipv4.tcp_keepalive_time`, }, + { + name: "new supported sysctls not supported: net.ipv4.tcp_fin_timeout", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_fin_timeout", Value: "60"}}, + }, + }}, + allowed: false, + expectReason: `forbidden sysctls`, + expectDetail: `net.ipv4.tcp_fin_timeout`, + }, + { + name: "new supported sysctls not supported: net.ipv4.tcp_keepalive_intvl", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_intvl", Value: "75"}}, + }, + }}, + allowed: false, + expectReason: `forbidden sysctls`, + expectDetail: `net.ipv4.tcp_keepalive_intvl`, + }, + { + name: "new supported sysctls not supported: net.ipv4.tcp_keepalive_probes", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_probes", Value: "9"}}, + }, + }}, + allowed: false, + expectReason: `forbidden sysctls`, + expectDetail: `net.ipv4.tcp_keepalive_probes`, + }, } for _, tc := range tests { @@ -155,7 +188,7 @@ func TestSysctls_1_29(t *testing.T) { expectDetail: `a, b`, }, { - name: "new supported sysctls", + name: "new supported sysctls: net.ipv4.tcp_keepalive_time", pod: &corev1.Pod{Spec: corev1.PodSpec{ SecurityContext: &corev1.PodSecurityContext{ Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_time", Value: "7200"}}, @@ -163,6 +196,33 @@ func TestSysctls_1_29(t *testing.T) { }}, allowed: true, }, + { + name: "new supported sysctls: net.ipv4.tcp_fin_timeout", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_fin_timeout", Value: "60"}}, + }, + }}, + allowed: true, + }, + { + name: "new supported sysctls: net.ipv4.tcp_keepalive_intvl", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_intvl", Value: "75"}}, + }, + }}, + allowed: true, + }, + { + name: "new supported sysctls: net.ipv4.tcp_keepalive_probes", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_probes", Value: "9"}}, + }, + }}, + allowed: true, + }, } for _, tc := range tests { diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go index 21435817e42..9ef1a0feb1b 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go @@ -133,6 +133,9 @@ func init() { {Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"}, {Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"}, {Name: "net.ipv4.tcp_keepalive_time", Value: "7200"}, + {Name: "net.ipv4.tcp_fin_timeout", Value: "60"}, + {Name: "net.ipv4.tcp_keepalive_intvl", Value: "75"}, + {Name: "net.ipv4.tcp_keepalive_probes", Value: "9"}, } }), } diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.29/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.29/pass/sysctls1.yaml index f2a5561f98f..f8e68e6c44a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.29/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.29/pass/sysctls1.yaml @@ -25,3 +25,9 @@ spec: value: 1024-4999 - name: net.ipv4.tcp_keepalive_time value: "7200" + - name: net.ipv4.tcp_fin_timeout + value: "60" + - name: net.ipv4.tcp_keepalive_intvl + value: "75" + - name: net.ipv4.tcp_keepalive_probes + value: "9" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.29/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.29/pass/sysctls1.yaml index e91b6b9bbdf..0fa413ac4b1 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.29/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.29/pass/sysctls1.yaml @@ -38,3 +38,9 @@ spec: value: 1024-4999 - name: net.ipv4.tcp_keepalive_time value: "7200" + - name: net.ipv4.tcp_fin_timeout + value: "60" + - name: net.ipv4.tcp_keepalive_intvl + value: "75" + - name: net.ipv4.tcp_keepalive_probes + value: "9"