Do not attempt to overwrite higher system (sysctl) values

With this commit kube-proxy accepts current system values (retrieved by sysctl) which are higher than the internally known and expected values. The code change was mistakenly created as PR in the k3s project (see https://github.com/k3s-io/k3s/pull/3505). A real life use case is described in Rancher issue https://github.com/rancher/rancher/issues/33360. When Kubernetes runs on a Node which itself is a container (e.g. LXC), and the value is changed on the (LXC) host, kube-proxy then fails at the next start as it does not recognize the current value and attempts to overwrite the current value with the previously known one. This result in: ``` I0624 07:38:23.053960 54 conntrack.go:103] Set sysctl 'net/netfilter/nf_conntrack_max' to 524288 F0624 07:38:23.053999 54 server.go:495] open /proc/sys/net/netfilter/nf_conntrack_max: permission denied ``` However a sysctl overwrite only makes sense if the current value is lower than the previously known and expected value. If the value was increased on the host, that shouldn't really bother kube-proxy and just go on with it. Signed-off-by: Claudio Kuenzler ck@claudiokuenzler.com
2025-07-21 19:01:49 +00:00 · 2021-06-25 07:20:49 +02:00 · 2021-06-25 07:20:49 +02:00 · f3708fa016
commit f3708fa016
parent 296991f697
1 changed files with 1 additions and 1 deletions
--- a/cmd/kube-proxy/app/conntrack.go
+++ b/cmd/kube-proxy/app/conntrack.go
@ -96,7 +96,7 @@ func (realConntracker) setIntSysCtl(name string, value int) error {
 	entry := "net/netfilter/" + name

 	sys := sysctl.New()
-	if val, _ := sys.GetSysctl(entry); val != value {
+	if val, _ := sys.GetSysctl(entry); val != value && val < value {
 		klog.InfoS("Set sysctl", "entry", entry, "value", value)
 		if err := sys.SetSysctl(entry, value); err != nil {
 			return err