We need to enable some sysctl parameters in kubernetes. This should be achievable with the below annotation in the Deployment.
annotations:
security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.ip_local_port_range="10240 65535"When doing so the container fails to start with the error:
Warning FailedCreatePodSandBox 8s (x12 over 19s) kubelet, <node> Failed create pod sandbox.The solution looks to be to add this flag to the kublet:
--experimental-allowed-unsafe-sysctlsWhich for other flags can be done under kubelet in
kops edit clusterDoes anyone know the correct way to do this as it refuses to pick up the setting when entering the flag there.
Thanks, Alex
As of 2020-05-18, the proper config is, for example:
kubelet:
allowedUnsafeSysctls:
- net.ipv4.ip_local_port_range="10240 65535"In general, all KOPS config must be camelCased.
From here, KOPS 1.16.2+
I recently ran into this problem and the issue was ExperimentalAllowedUnsafeSysctls should be experimental_allowed_unsafe_sysctls in the kops config like below.
kubelet:
experimental_allowed_unsafe_sysctls:
- net.core.somaxconnI found this out by inspecting the componentconfig.go here: https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/v1alpha2/componentconfig.go#L168
A fix for this was merged back in May, you can see the PR here: https://github.com/kubernetes/kops/pull/5104/files
You'd enable it with:
spec:
kubelet:
ExperimentalAllowedUnsafeSysctls:
- 'net.ipv4.ip_local_port_range="10240 65535"'It seems the flag takes a stringSlice, so you'd need to pass an array.
If that doesn't work, ensure you're using the right version of kops