Try Kubernetes

Get Started

Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.

Documentation

Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even help contribute to the docs!

Community

If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.

Blog

Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.

Interested in hacking on the core Kubernetes code base?

View On Github

Explore the community

Tasks

Example Task Template

Extend kubectl with plugins

Manage HugePages

Schedule GPUs

Install Tools

Install Minikube

Install and Set Up kubectl

Manage Memory, CPU, and API Resources

Access Clusters Using the Kubernetes API

Access Services Running on Clusters

Advertise Extended Resources for a Node

Autoscale the DNS Service in a Cluster

Change the Reclaim Policy of a PersistentVolume

Change the default StorageClass

Cluster Management

Configure Default CPU Requests and Limits for a Namespace

Configure Default Memory Requests and Limits for a Namespace

Configure Memory and CPU Quotas for a Namespace

Configure Minimum and Maximum CPU Constraints for a Namespace

Configure Minimum and Maximum Memory Constraints for a Namespace

Configure Multiple Schedulers

Configure Out Of Resource Handling

Configure Quotas for API Objects

Configure a Pod Quota for a Namespace

Control CPU Management Policies on the Node

Customizing DNS Service

Debugging DNS Resolution

Declare Network Policy

Developing Cloud Controller Manager

Encrypting Secret Data at Rest

Guaranteed Scheduling For Critical Add-On Pods

IP Masquerade Agent User Guide

Kubernetes Cloud Controller Manager

Limit Storage Consumption

Namespaces Walkthrough

Operating etcd clusters for Kubernetes

Persistent Volume Claim Protection

Reconfigure a Node's Kubelet in a Live Cluster

Reserve Compute Resources for System Daemons

Romana for NetworkPolicy

Safely Drain a Node while Respecting Application SLOs

Securing a Cluster

Set Kubelet parameters via a config file

Set up High-Availability Kubernetes Masters

Set up a High-Availablity Etcd Cluster With Kubeadm

Share a Cluster with Namespaces

Static Pods

Storage Object in Use Protection

Use Calico for NetworkPolicy

Use Cilium for NetworkPolicy

Use Kube-router for NetworkPolicy

Using CoreDNS for Service Discovery

Using Sysctls in a Kubernetes Cluster

Using a KMS provider for data encryption

Weave Net for NetworkPolicy

Upgrading or downgrading Kubernetes

Cluster Management Guide for Version 1.6

Upgrading kubeadm HA clusters from 1.9.x to 1.9.y

Upgrading kubeadm clusters from 1.6 to 1.7

Upgrading kubeadm clusters from 1.7 to 1.8

Upgrading/downgrading kubeadm clusters between v1.8 to v1.9

Configure Pods and Containers

Assign CPU Resources to Containers and Pods

Assign Extended Resources to a Container

Assign Memory Resources to Containers and Pods

Assign Pods to Nodes

Attach Handlers to Container Lifecycle Events

Configure Liveness and Readiness Probes

Configure Pod Initialization

Configure Quality of Service for Pods

Configure Service Accounts for Pods

Configure a Pod to Use a ConfigMap

Configure a Pod to Use a PersistentVolume for Storage

Configure a Pod to Use a Projected Volume for Storage

Configure a Pod to Use a Volume for Storage

Configure a Security Context for a Pod or Container

Pull an Image from a Private Registry

Share Process Namespace between Containers in a Pod

Inject Data Into Applications

Define Environment Variables for a Container

Define a Command and Arguments for a Container

Distribute Credentials Securely Using Secrets

Expose Pod Information to Containers Through Environment Variables

Expose Pod Information to Containers Through Files

Inject Information into Pods Using a PodPreset

Run Applications

Delete a StatefulSet

Force Delete StatefulSet Pods

Horizontal Pod Autoscaler

Horizontal Pod Autoscaler Walkthrough

Perform Rolling Update Using a Replication Controller

Run a Replicated Stateful Application

Run a Single-Instance Stateful Application

Run a Stateless Application Using a Deployment

Scale a StatefulSet

Specifying a Disruption Budget for your Application

Update API Objects in Place Using kubectl patch

Run Jobs

Parallel Processing using Expansions

Running automated tasks with cron jobs

Access Applications in a Cluster

Accessing Clusters

Communicate Between Containers in the Same Pod Using a Shared Volume

Configure Access to Multiple Clusters

Configure Your Cloud Provider's Firewalls

Connect a Front End to a Back End Using a Service

Create an External Load Balancer

List All Container Images Running in a Cluster

Provide Load-Balanced Access to an Application in a Cluster

Use Port Forwarding to Access Applications in a Cluster

Use a Service to Access an Application in a Cluster

Web UI (Dashboard)

Monitor, Log, and Debug

Application Introspection and Debugging

Auditing

Core metrics pipeline

Debug Init Containers

Debug Pods and Replication Controllers

Debug Services

Debug a StatefulSet

Determine the Reason for Pod Failure

Developing and debugging services locally

Events in Stackdriver

Get a Shell to a Running Container

Logging Using Elasticsearch and Kibana

Logging Using Stackdriver

Monitor Node Health

Tools for Monitoring Compute, Storage, and Network Resources

Troubleshoot Applications

Troubleshoot Clusters

Troubleshooting

Extend Kubernetes

Configure the aggregation layer

Extend the Kubernetes API with CustomResourceDefinitions

Extend the Kubernetes API with ThirdPartyResources

Migrate a ThirdPartyResource to CustomResourceDefinition

Setup an extension API server

Use an HTTP Proxy to Access the Kubernetes API

TLS

Certificate Rotation

Manage TLS Certificates in a Cluster

Federation - Run an App on Multiple Clusters

Cross-cluster Service Discovery using Federated Services

Set up Cluster Federation with Kubefed

Set up CoreDNS as DNS provider for Cluster Federation

Set up placement policies in Federation

Manage Cluster Daemons

Perform a Rolling Update on a DaemonSet

Performing a Rollback on a DaemonSet

Extend Kubernetes

Install Service Catalog using Helm

Install Service Catalog using SC

Federation - Run an App on Multiple Clusters

Federated Horizontal Pod Autoscalers (HPA)

Federated Ingress

Federated Jobs

Federated Namespaces

Federated ReplicaSets

Federated Secrets

Edit This Page

Using Sysctls in a Kubernetes Cluster

This document describes how sysctls are used within a Kubernetes cluster.

Before you begin
Listing all Sysctl Parameters
Enabling Unsafe Sysctls
Setting Sysctls for a Pod
PodSecurityPolicy Annotations

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:

To check the version, enter kubectl version.

Listing all Sysctl Parameters

In Linux, the sysctl interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the /proc/sys/ virtual process file system. The parameters cover various subsystems such as:

kernel (common prefix: kernel.)
networking (common prefix: net.)
virtual memory (common prefix: vm.)
MDADM (common prefix: dev.)
More subsystems are described in Kernel docs.

To get a list of all parameters, you can run

$ sudo sysctl -a

Enabling Unsafe Sysctls

Sysctls are grouped into safe and unsafe sysctls. In addition to proper namespacing a safe sysctl must be properly isolated between pods on the same node. This means that setting a safe sysctl for one pod

must not have any influence on any other pod on the node
must not allow to harm the node’s health
must not allow to gain CPU or memory resources outside of the resource limits of a pod.

By far, most of the namespaced sysctls are not necessarily considered safe. The following sysctls are supported in the safe set:

kernel.shm_rmid_forced,
net.ipv4.ip_local_port_range,
net.ipv4.tcp_syncookies.

Note: The example net.ipv4.tcp_syncookies is not namespaced on Linux kernel version 4.4 or lower.

This list will be extended in future Kubernetes versions when the kubelet supports better isolation mechanisms.

All safe sysctls are enabled by default.

All unsafe sysctls are disabled by default and must be allowed manually by the cluster admin on a per-node basis. Pods with disabled unsafe sysctls will be scheduled, but will fail to launch.

With the warning above in mind, the cluster admin can allow certain unsafe sysctls for very special situations like e.g. high-performance or real-time application tuning. Unsafe sysctls are enabled on a node-by-node basis with a flag of the kubelet, e.g.:

$ kubelet --experimental-allowed-unsafe-sysctls \
  'kernel.msg*,net.ipv4.route.min_pmtu' ...

For minikube, this can be done via the extra-config flag:

$ minikube start --extra-config="kubelet.AllowedUnsafeSysctls=kernel.msg*,net.ipv4.route.min_pmtu"...

Only namespaced sysctls can be enabled this way.

Setting Sysctls for a Pod

A number of sysctls are namespaced in today’s Linux kernels. This means that they can be set independently for each pod on a node. Being namespaced is a requirement for sysctls to be accessible in a pod context within Kubernetes.

The following sysctls are known to be namespaced:

kernel.shm*,
kernel.msg*,
kernel.sem,
fs.mqueue.*,
net.*.

Sysctls which are not namespaced are called node-level and must be set manually by the cluster admin, either by means of the underlying Linux distribution of the nodes (e.g. via /etc/sysctls.conf) or using a DaemonSet with privileged containers.

The sysctl feature is an alpha API. Therefore, sysctls are set using annotations on pods. They apply to all containers in the same pod.

Here is an example, with different annotations for safe and unsafe sysctls:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
  annotations:
    security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1
    security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.route.min_pmtu=1000,kernel.msgmax=1 2 3
spec:
  ...

Warning: Due to their nature of being unsafe, the use of unsafe sysctls is at-your-own-risk and can lead to severe problems like wrong behavior of containers, resource shortage or complete breakage of a node.

It is good practice to consider nodes with special sysctl settings as tainted within a cluster, and only schedule pods onto them which need those sysctl settings. It is suggested to use the Kubernetes taints and toleration feature to implement this.

A pod with the unsafe sysctls will fail to launch on any node which has not enabled those two unsafe sysctls explicitly. As with node-level sysctls it is recommended to use taints and toleration feature or taints on nodes to schedule those pods onto the right nodes.

PodSecurityPolicy Annotations

The use of sysctl in pods can be controlled via annotation on the PodSecurityPolicy.

Sysctl annotation represents a whitelist of allowed safe and unsafe sysctls in a pod spec. It’s a comma-separated list of plain sysctl names or sysctl patterns (which end in *). The string * matches all sysctls.

Here is an example, it authorizes binding user creating pod with corresponding sysctls.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
  annotations:
    security.alpha.kubernetes.io/sysctls: 'net.ipv4.route.*,kernel.msg*'
spec:
 ...

Create an Issue Edit this Page