safe_sysctls.go

Documentation: k8s.io/kubernetes/pkg/kubelet/sysctl

     1  /*
     2  Copyright 2016 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package sysctl
    18  
    19  import (
    20  	goruntime "runtime"
    21  
    22  	"k8s.io/apimachinery/pkg/util/version"
    23  	"k8s.io/klog/v2"
    24  	utilkernel "k8s.io/kubernetes/pkg/util/kernel"
    25  )
    26  
    27  type sysctl struct {
    28  	// the name of sysctl
    29  	name string
    30  	// the minimum kernel version where the sysctl is available
    31  	kernel string
    32  }
    33  
    34  var safeSysctls = []sysctl{
    35  	{
    36  		name: "kernel.shm_rmid_forced",
    37  	}, {
    38  		name: "net.ipv4.ip_local_port_range",
    39  	}, {
    40  		name: "net.ipv4.tcp_syncookies",
    41  	}, {
    42  		name: "net.ipv4.ping_group_range",
    43  	}, {
    44  		name: "net.ipv4.ip_unprivileged_port_start",
    45  	}, {
    46  		name:   "net.ipv4.ip_local_reserved_ports",
    47  		kernel: utilkernel.IPLocalReservedPortsNamespacedKernelVersion,
    48  	}, {
    49  		name:   "net.ipv4.tcp_keepalive_time",
    50  		kernel: utilkernel.TCPKeepAliveTimeNamespacedKernelVersion,
    51  	}, {
    52  		name:   "net.ipv4.tcp_fin_timeout",
    53  		kernel: utilkernel.TCPFinTimeoutNamespacedKernelVersion,
    54  	},
    55  	{
    56  		name:   "net.ipv4.tcp_keepalive_intvl",
    57  		kernel: utilkernel.TCPKeepAliveIntervalNamespacedKernelVersion,
    58  	},
    59  	{
    60  		name:   "net.ipv4.tcp_keepalive_probes",
    61  		kernel: utilkernel.TCPKeepAliveProbesNamespacedKernelVersion,
    62  	},
    63  }
    64  
    65  // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *).
    66  //
    67  // A sysctl is called safe iff
    68  // - it is namespaced in the container or the pod
    69  // - it is isolated, i.e. has no influence on any other pod on the same node.
    70  func SafeSysctlAllowlist() []string {
    71  	if goruntime.GOOS != "linux" {
    72  		return nil
    73  	}
    74  
    75  	return getSafeSysctlAllowlist(utilkernel.GetVersion)
    76  }
    77  
    78  func getSafeSysctlAllowlist(getVersion func() (*version.Version, error)) []string {
    79  	kernelVersion, err := getVersion()
    80  	if err != nil {
    81  		klog.ErrorS(err, "failed to get kernel version, unable to determine which sysctls are available")
    82  	}
    83  
    84  	var safeSysctlAllowlist []string
    85  	for _, sc := range safeSysctls {
    86  		if sc.kernel == "" {
    87  			safeSysctlAllowlist = append(safeSysctlAllowlist, sc.name)
    88  			continue
    89  		}
    90  
    91  		if kernelVersion != nil && kernelVersion.AtLeast(version.MustParseGeneric(sc.kernel)) {
    92  			safeSysctlAllowlist = append(safeSysctlAllowlist, sc.name)
    93  		} else {
    94  			klog.InfoS("kernel version is too old, dropping the sysctl from safe sysctl list", "kernelVersion", kernelVersion, "sysctl", sc.name)
    95  		}
    96  	}
    97  	return safeSysctlAllowlist
    98  }
    99
View as plain text