From e154b73535d003586594d52b671d36487384058b Mon Sep 17 00:00:00 2001
From: Paco Xu <paco.xu@daocloud.io>
Date: Tue, 21 Mar 2023 14:27:12 +0800
Subject: [PATCH] safe-sysctl: skip checking for windows

---
 pkg/kubelet/sysctl/safe_sysctls.go | 49 +++++++++++++++++++-----------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/pkg/kubelet/sysctl/safe_sysctls.go b/pkg/kubelet/sysctl/safe_sysctls.go
index c182cb96cc2..ea3fcd57d27 100644
--- a/pkg/kubelet/sysctl/safe_sysctls.go
+++ b/pkg/kubelet/sysctl/safe_sysctls.go
@@ -17,11 +17,15 @@ limitations under the License.
 package sysctl
 
 import (
+	"fmt"
+	goruntime "runtime"
+
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/proxy/ipvs"
 )
 
+// refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934.
 const ipLocalReservedPortsMinNamespacedKernelVersion = "3.16"
 
 var safeSysctls = []string{
@@ -32,33 +36,44 @@ var safeSysctls = []string{
 	"net.ipv4.ip_unprivileged_port_start",
 }
 
+var safeSysctlsIncludeReservedPorts = []string{
+	"kernel.shm_rmid_forced",
+	"net.ipv4.ip_local_port_range",
+	"net.ipv4.tcp_syncookies",
+	"net.ipv4.ping_group_range",
+	"net.ipv4.ip_unprivileged_port_start",
+	"net.ipv4.ip_local_reserved_ports",
+}
+
 // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *).
 //
 // A sysctl is called safe iff
 // - it is namespaced in the container or the pod
 // - it is isolated, i.e. has no influence on any other pod on the same node.
 func SafeSysctlAllowlist() []string {
+	if goruntime.GOOS == "linux" {
+		// make sure we're on a new enough kernel that the ip_local_reserved_ports sysctl is namespaced
+		kernelVersion, err := getKernelVersion()
+		if err != nil {
+			klog.ErrorS(err, "Failed to get kernel version, dropping net.ipv4.ip_local_reserved_ports from safe sysctl list")
+			return safeSysctls
+		}
+		if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) {
+			klog.ErrorS(nil, "Kernel version is too old, dropping net.ipv4.ip_local_reserved_ports from safe sysctl list", "kernelVersion", kernelVersion)
+			return safeSysctls
+		}
+	}
+	return safeSysctlsIncludeReservedPorts
+}
+
+func getKernelVersion() (*version.Version, error) {
 	kernelVersionStr, err := ipvs.NewLinuxKernelHandler().GetKernelVersion()
 	if err != nil {
-		klog.ErrorS(err, "Failed to get kernel version.")
-		return safeSysctls
+		return nil, fmt.Errorf("failed to get kernel version: %w", err)
 	}
 	kernelVersion, err := version.ParseGeneric(kernelVersionStr)
 	if err != nil {
-		klog.ErrorS(err, "Failed to parse kernel version.")
-		return safeSysctls
-	}
-	// ip_local_reserved_ports has been changed to namesapced since kernel v3.16.
-	// refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934.
-	if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) {
-		return safeSysctls
-	}
-	return []string{
-		"kernel.shm_rmid_forced",
-		"net.ipv4.ip_local_port_range",
-		"net.ipv4.tcp_syncookies",
-		"net.ipv4.ping_group_range",
-		"net.ipv4.ip_unprivileged_port_start",
-		"net.ipv4.ip_local_reserved_ports",
+		return nil, fmt.Errorf("failed to parse kernel version: %w", err)
 	}
+	return kernelVersion, nil
 }