Merge pull request #36728 from feiskyer/sysctls-docs

Automatic merge from submit-queue CRI: add docs for sysctls #34830 adds `sysctls` features in CRI, it is based on sandbox annotations, this PR adds docs for it. @yujuhong @timstclair @jonboulle
2025-07-22 19:31:44 +00:00 · 2016-11-16 02:58:42 -08:00 · 2016-11-16 02:58:42 -08:00 · 193622b31f
commit 193622b31f
parent 587cbaf988 38955897f7
2 changed files with 20 additions and 0 deletions
--- a/pkg/kubelet/api/v1alpha1/runtime/api.pb.go
+++ b/pkg/kubelet/api/v1alpha1/runtime/api.pb.go
@ -667,6 +667,16 @@ type PodSandboxConfig struct {
 	//      * localhost/<profile-name>: the profile installed to the node's
 	//        local seccomp profile root
 	//
+	// 3. Sysctls
+	//
+	//      key: security.alpha.kubernetes.io/sysctls
+	//      description: list of safe sysctls which are set for the sandbox.
+	//      value: comma separated list of sysctl_name=value key-value pairs.
+	//
+	//      key: security.alpha.kubernetes.io/unsafe-sysctls
+	//      description: list of unsafe sysctls which are set for the sandbox.
+	//      value: comma separated list of sysctl_name=value key-value pairs.
+	//
 	Annotations map[string]string `protobuf:"bytes,7,rep,name=annotations" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// Optional configurations specific to Linux hosts.
 	Linux            *LinuxPodSandboxConfig `protobuf:"bytes,8,opt,name=linux" json:"linux,omitempty"`
--- a/pkg/kubelet/api/v1alpha1/runtime/api.proto
+++ b/pkg/kubelet/api/v1alpha1/runtime/api.proto
@ -257,6 +257,16 @@ message PodSandboxConfig {
    //      * localhost/<profile-name>: the profile installed to the node's
    //        local seccomp profile root
    //
+    // 3. Sysctls
+    //
+    //      key: security.alpha.kubernetes.io/sysctls
+    //      description: list of safe sysctls which are set for the sandbox.
+    //      value: comma separated list of sysctl_name=value key-value pairs.
+    //
+    //      key: security.alpha.kubernetes.io/unsafe-sysctls
+    //      description: list of unsafe sysctls which are set for the sandbox.
+    //      value: comma separated list of sysctl_name=value key-value pairs.
+    //
    map<string, string> annotations = 7;
    // Optional configurations specific to Linux hosts.
    optional LinuxPodSandboxConfig linux = 8;