add net.ipv4.ip_local_reserved_ports to safe sysctls

Signed-off-by: Paco Xu <paco.xu@daocloud.io>

pkg/kubelet/sysctl/safe_sysctls.go

@@ -28,5 +28,6 @@ func SafeSysctlAllowlist() []string {
 		"net.ipv4.tcp_syncookies",
 		"net.ipv4.ping_group_range",
 		"net.ipv4.ip_unprivileged_port_start",
+		"net.ipv4.ip_local_reserved_ports",
 	}
 }

staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go

@@ -42,6 +42,7 @@ spec.securityContext.sysctls[*].name
 'net.ipv4.tcp_syncookies'
 'net.ipv4.ping_group_range'
 'net.ipv4.ip_unprivileged_port_start'
+'net.ipv4.ip_local_reserved_ports'
 
 */
 
@@ -71,6 +72,7 @@ var (
 		"net.ipv4.tcp_syncookies",
 		"net.ipv4.ping_group_range",
 		"net.ipv4.ip_unprivileged_port_start",
+		"net.ipv4.ip_local_reserved_ports",
 	)
 )
 

staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go

@@ -41,7 +41,7 @@ func init() {
 				tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }),
 				// sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range"
 				// "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range",
-				// "net.ipv4.ip_unprivileged_port_start"
+				// "net.ipv4.ip_unprivileged_port_start", "net.ipv4.ip_local_reserved_ports"
 				tweak(p, func(p *corev1.Pod) {
 					p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{
 						{Name: "kernel.shm_rmid_forced", Value: "0"},
@@ -49,6 +49,7 @@ func init() {
 						{Name: "net.ipv4.tcp_syncookies", Value: "0"},
 						{Name: "net.ipv4.ping_group_range", Value: "1 0"},
 						{Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"},
+						{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024 4999"},
 					}
 				}),
 			}