diff --git a/pkg/kubelet/sysctl/safe_sysctls.go b/pkg/kubelet/sysctl/safe_sysctls.go index 601b88de75e..c182cb96cc2 100644 --- a/pkg/kubelet/sysctl/safe_sysctls.go +++ b/pkg/kubelet/sysctl/safe_sysctls.go @@ -16,12 +16,43 @@ limitations under the License. package sysctl +import ( + "k8s.io/apimachinery/pkg/util/version" + "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/proxy/ipvs" +) + +const ipLocalReservedPortsMinNamespacedKernelVersion = "3.16" + +var safeSysctls = []string{ + "kernel.shm_rmid_forced", + "net.ipv4.ip_local_port_range", + "net.ipv4.tcp_syncookies", + "net.ipv4.ping_group_range", + "net.ipv4.ip_unprivileged_port_start", +} + // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *). // // A sysctl is called safe iff // - it is namespaced in the container or the pod // - it is isolated, i.e. has no influence on any other pod on the same node. func SafeSysctlAllowlist() []string { + kernelVersionStr, err := ipvs.NewLinuxKernelHandler().GetKernelVersion() + if err != nil { + klog.ErrorS(err, "Failed to get kernel version.") + return safeSysctls + } + kernelVersion, err := version.ParseGeneric(kernelVersionStr) + if err != nil { + klog.ErrorS(err, "Failed to parse kernel version.") + return safeSysctls + } + // ip_local_reserved_ports has been changed to namesapced since kernel v3.16. + // refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934. + if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) { + return safeSysctls + } return []string{ "kernel.shm_rmid_forced", "net.ipv4.ip_local_port_range",