Merge pull request #32383 from sttts/sttts-sysctl-infra-only

Automatic merge from submit-queue Only set sysctls for infra containers We did set the sysctls for each container in a pod. This opens up a way to set un-whitelisted sysctls during upgrade from v1.3: - set annotation in v1.3 with an un-whitelisted sysctl. Set restartPolicy=Always - upgrade cluster to v1.4 - kill container process - un-whitelisted sysctl is set on restart of the killed container.
2025-07-27 21:47:07 +00:00 · 2016-11-01 08:47:38 -07:00 · 2016-11-01 08:47:38 -07:00 · 7d10cffc37
commit 7d10cffc37
parent 63954ccd0e 962e7534b4
1 changed files with 13 additions and 11 deletions
--- a/pkg/kubelet/dockertools/docker_manager.go
+++ b/pkg/kubelet/dockertools/docker_manager.go
@ -688,6 +688,7 @@ func (dm *DockerManager) runContainer(
 	}

 	// Set sysctls if requested
+	if container.Name == PodInfraContainerName {
 		sysctls, unsafeSysctls, err := api.SysctlsFromPodAnnotations(pod.Annotations)
 		if err != nil {
 			dm.recorder.Eventf(ref, api.EventTypeWarning, events.FailedToCreateContainer, "Failed to create docker container %q of pod %q with error: %v", container.Name, format.Pod(pod), err)
@ -702,6 +703,7 @@ func (dm *DockerManager) runContainer(
 				hc.Sysctls[c.Name] = c.Value
 			}
 		}
+	}

 	// If current api version is newer than docker 1.10 requested, set OomScoreAdj to HostConfig
 	result, err := dm.checkDockerAPIVersion(dockerV110APIVersion)