Is it possible to enable net.ipv4.ip_forward on a container's network namespace?
Manual
From the host, I can enable it with manually with
sudo nsenter -t \
$(docker inspect --format '{{.State.Pid}}' $CONTAINER_NAME) \
-n sysctl -w net.ipv4.ip_forward=1and confirm that forwarding begins working within the container.
Is there a way to do this automatically whilst avoiding privileged containers?
In case of some sysctl parameters yes; net.* is namespaced, so net.ipv4.ip_forward can be enabled per Pod (per container).
Follow the Using Sysctls in a Kubernetes Cluster guide for details and gotchas.
While net is namespaced, not all sysctl variables can be set in namespace. Some simply await for a "namespacify" patch, but others will possibly never get implemented. In the specific example of net.ipv4 one could browse include/net/netns/ipv4.h to see what is supported at the moment. Such support of course depends on the actual kernel version.
In case you wanted to "empirically" verify whether sysctl (the actual kernel facility, not the tool) supports a particular variable, you could do something like this (as root):
# cat /proc/sys/net/ipv4/ip_forward
1
# unshare --net sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
# cat /proc/sys/net/ipv4/ip_forward
1As you can see sysctl (the tool) running in a new namespace could set net.ipv4.ip_forward=0; also that it did not affect the parent namespace.
An example of a variable that can't be set in a namespace (no support for it at the moment):
# cat /proc/sys/net/ipv4/icmp_msgs_burst
50
# unshare --net sysctl -w net.ipv4.icmp_msgs_burst=42
sysctl: cannot stat /proc/sys/net/ipv4/icmp_msgs_burst: No such file or directoryAn example of a variable that is not namespaced would be vm.nr_hugepages. This variable exists in namespaces, but the vm subsystem itself is not namespaced (setting this variable will affect all processes):
# sysctl vm.nr_hugepages
vm.nr_hugepages = 0
# unshare sysctl vm.nr_hugepages=1
vm.nr_hugepages = 1
# sysctl vm.nr_hugepages
vm.nr_hugepages = 1