From 38955897f7518631f5145b4d7cdd1277ad9ad3e6 Mon Sep 17 00:00:00 2001
From: Pengfei Ni <feiskyer@gmail.com>
Date: Mon, 14 Nov 2016 12:19:52 +0800
Subject: [PATCH] CRI: add docs for sysctls

---
 pkg/kubelet/api/v1alpha1/runtime/api.pb.go | 10 ++++++++++
 pkg/kubelet/api/v1alpha1/runtime/api.proto | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/pkg/kubelet/api/v1alpha1/runtime/api.pb.go b/pkg/kubelet/api/v1alpha1/runtime/api.pb.go
index aea5a4d0025..acca0186509 100644
--- a/pkg/kubelet/api/v1alpha1/runtime/api.pb.go
+++ b/pkg/kubelet/api/v1alpha1/runtime/api.pb.go
@@ -668,6 +668,16 @@ type PodSandboxConfig struct {
 	//      * localhost/<profile-name>: the profile installed to the node's
 	//        local seccomp profile root
 	//
+	// 3. Sysctls
+	//
+	//      key: security.alpha.kubernetes.io/sysctls
+	//      description: list of safe sysctls which are set for the sandbox.
+	//      value: comma separated list of sysctl_name=value key-value pairs.
+	//
+	//      key: security.alpha.kubernetes.io/unsafe-sysctls
+	//      description: list of unsafe sysctls which are set for the sandbox.
+	//      value: comma separated list of sysctl_name=value key-value pairs.
+	//
 	Annotations map[string]string `protobuf:"bytes,7,rep,name=annotations" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// Optional configurations specific to Linux hosts.
 	Linux            *LinuxPodSandboxConfig `protobuf:"bytes,8,opt,name=linux" json:"linux,omitempty"`
diff --git a/pkg/kubelet/api/v1alpha1/runtime/api.proto b/pkg/kubelet/api/v1alpha1/runtime/api.proto
index 4e42518dd22..7c672cb54d2 100644
--- a/pkg/kubelet/api/v1alpha1/runtime/api.proto
+++ b/pkg/kubelet/api/v1alpha1/runtime/api.proto
@@ -258,6 +258,16 @@ message PodSandboxConfig {
     //      * localhost/<profile-name>: the profile installed to the node's
     //        local seccomp profile root
     //
+    // 3. Sysctls
+    //
+    //      key: security.alpha.kubernetes.io/sysctls
+    //      description: list of safe sysctls which are set for the sandbox.
+    //      value: comma separated list of sysctl_name=value key-value pairs.
+    //
+    //      key: security.alpha.kubernetes.io/unsafe-sysctls
+    //      description: list of unsafe sysctls which are set for the sandbox.
+    //      value: comma separated list of sysctl_name=value key-value pairs.
+    //
     map<string, string> annotations = 7;
     // Optional configurations specific to Linux hosts.
     optional LinuxPodSandboxConfig linux = 8;