Merge pull request #121240 from HirazawaUi/add-safe-sysctl

Add ipv4 TCP settings safe sysctls
2025-08-01 15:58:37 +00:00 · 2023-10-20 03:10:34 +02:00 · 2023-10-20 03:10:34 +02:00 · 7aa89084a3
commit 7aa89084a3
parent 88d9573c30 1132fd0afd
7 changed files with 100 additions and 2 deletions
--- a/pkg/kubelet/sysctl/safe_sysctls.go
+++ b/pkg/kubelet/sysctl/safe_sysctls.go
@ -51,6 +51,20 @@ var safeSysctls = []sysctl{
 		name: "net.ipv4.tcp_keepalive_time",
 		// refer to https://github.com/torvalds/linux/commit/13b287e8d1cad951634389f85b8c9b816bd3bb1e.
 		kernel: "4.5",
+	}, {
+		// refer to https://github.com/torvalds/linux/commit/1e579caa18b96f9eb18f4f5416658cd15f37c062.
+		name:   "net.ipv4.tcp_fin_timeout",
+		kernel: "4.6",
+	},
+	{
+		// refer to https://github.com/torvalds/linux/commit/b840d15d39128d08ed4486085e5507d2617b9ae1.
+		name:   "net.ipv4.tcp_keepalive_intvl",
+		kernel: "4.5",
+	},
+	{
+		// refer to https://github.com/torvalds/linux/commit/9bd6861bd4326e3afd3f14a9ec8a723771fb20bb.
+		name:   "net.ipv4.tcp_keepalive_probes",
+		kernel: "4.5",
 	},
 }

--- a/pkg/kubelet/sysctl/safe_sysctls_test.go
+++ b/pkg/kubelet/sysctl/safe_sysctls_test.go
@ -59,7 +59,7 @@ func Test_getSafeSysctlAllowlist(t *testing.T) {
 			},
 		},
 		{
-			name: "kernelVersion is 5.15.0, return safeSysctls with no kernelVersion limit and net.ipv4.ip_local_reserved_ports and net.ipv4.tcp_keepalive_time",
+			name: "kernelVersion is 5.15.0, return safeSysctls with no kernelVersion limit and kernelVersion below 5.15.0",
 			getVersion: func() (*version.Version, error) {
 				kernelVersionStr := "5.15.0-75-generic"
 				return version.ParseGeneric(kernelVersionStr)
@ -72,6 +72,9 @@ func Test_getSafeSysctlAllowlist(t *testing.T) {
 				"net.ipv4.ip_unprivileged_port_start",
 				"net.ipv4.ip_local_reserved_ports",
 				"net.ipv4.tcp_keepalive_time",
+				"net.ipv4.tcp_fin_timeout",
+				"net.ipv4.tcp_keepalive_intvl",
+				"net.ipv4.tcp_keepalive_probes",
 			},
 		},
 	}
--- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
@ -44,6 +44,9 @@ spec.securityContext.sysctls[*].name
 'net.ipv4.ip_unprivileged_port_start'
 'net.ipv4.ip_local_reserved_ports'
 'net.ipv4.tcp_keepalive_time'
+'net.ipv4.tcp_fin_timeout'
+'net.ipv4.tcp_keepalive_intvl'
+'net.ipv4.tcp_keepalive_probes'

 */

@ -97,6 +100,9 @@ var (
 		"net.ipv4.ip_unprivileged_port_start",
 		"net.ipv4.ip_local_reserved_ports",
 		"net.ipv4.tcp_keepalive_time",
+		"net.ipv4.tcp_fin_timeout",
+		"net.ipv4.tcp_keepalive_intvl",
+		"net.ipv4.tcp_keepalive_probes",
 	)
 )

--- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go
@ -63,6 +63,39 @@ func TestSysctls(t *testing.T) {
 			expectReason: `forbidden sysctls`,
 			expectDetail: `net.ipv4.tcp_keepalive_time`,
 		},
+		{
+			name: "new supported sysctls not supported: net.ipv4.tcp_fin_timeout",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_fin_timeout", Value: "60"}},
+				},
+			}},
+			allowed:      false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `net.ipv4.tcp_fin_timeout`,
+		},
+		{
+			name: "new supported sysctls not supported: net.ipv4.tcp_keepalive_intvl",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_intvl", Value: "75"}},
+				},
+			}},
+			allowed:      false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `net.ipv4.tcp_keepalive_intvl`,
+		},
+		{
+			name: "new supported sysctls not supported: net.ipv4.tcp_keepalive_probes",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_probes", Value: "9"}},
+				},
+			}},
+			allowed:      false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `net.ipv4.tcp_keepalive_probes`,
+		},
 	}

 	for _, tc := range tests {
@ -155,7 +188,7 @@ func TestSysctls_1_29(t *testing.T) {
 			expectDetail: `a, b`,
 		},
 		{
-			name: "new supported sysctls",
+			name: "new supported sysctls: net.ipv4.tcp_keepalive_time",
 			pod: &corev1.Pod{Spec: corev1.PodSpec{
 				SecurityContext: &corev1.PodSecurityContext{
 					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_time", Value: "7200"}},
@ -163,6 +196,33 @@ func TestSysctls_1_29(t *testing.T) {
 			}},
 			allowed: true,
 		},
+		{
+			name: "new supported sysctls: net.ipv4.tcp_fin_timeout",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_fin_timeout", Value: "60"}},
+				},
+			}},
+			allowed: true,
+		},
+		{
+			name: "new supported sysctls: net.ipv4.tcp_keepalive_intvl",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_intvl", Value: "75"}},
+				},
+			}},
+			allowed: true,
+		},
+		{
+			name: "new supported sysctls: net.ipv4.tcp_keepalive_probes",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_keepalive_probes", Value: "9"}},
+				},
+			}},
+			allowed: true,
+		},
 	}

 	for _, tc := range tests {
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
@ -133,6 +133,9 @@ func init() {
 						{Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"},
 						{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},
 						{Name: "net.ipv4.tcp_keepalive_time", Value: "7200"},
+						{Name: "net.ipv4.tcp_fin_timeout", Value: "60"},
+						{Name: "net.ipv4.tcp_keepalive_intvl", Value: "75"},
+						{Name: "net.ipv4.tcp_keepalive_probes", Value: "9"},
 					}
 				}),
 			}
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.29/pass/sysctls1.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.29/pass/sysctls1.yaml
@ -25,3 +25,9 @@ spec:
      value: 1024-4999
    - name: net.ipv4.tcp_keepalive_time
      value: "7200"
+    - name: net.ipv4.tcp_fin_timeout
+      value: "60"
+    - name: net.ipv4.tcp_keepalive_intvl
+      value: "75"
+    - name: net.ipv4.tcp_keepalive_probes
+      value: "9"
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.29/pass/sysctls1.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.29/pass/sysctls1.yaml
@ -38,3 +38,9 @@ spec:
      value: 1024-4999
    - name: net.ipv4.tcp_keepalive_time
      value: "7200"
+    - name: net.ipv4.tcp_fin_timeout
+      value: "60"
+    - name: net.ipv4.tcp_keepalive_intvl
+      value: "75"
+    - name: net.ipv4.tcp_keepalive_probes
+      value: "9"