init container "sysctl: error setting key 'net.ipv4.ip_local_port_range': Read-only file system"

10/14/2020

I am trying to remove privileged mode from init container, when i set to priviliged: false. I am getting above error. I had set readOnlyRootFilesystem: false and lines below at the pod securityContext level

  securityContext:
    sysctls:
    - name: net.ipv4.ip_local_port_range
      value: 0 65535
-- sacboy
containers
kubernetes
podsecuritypolicy
sysctl

1 Answer

10/15/2020

The problem is that you cannot run sysctl without the privileged mode due to security reasons. This is expected since docker restricts access to /proc and /sys.

In order for this to work you need to use the privileged mode for the init container and than either:


  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.core.somaxconn
      value: "1024"
    - name: kernel.msgmax
      value: "65536"
  • Use PodSecurityPolicy to control which sysctls can be set in pods by specifying lists of sysctls or sysctl patterns in the forbiddenSysctls and/or allowedUnsafeSysctls fields of the PodSecurityPolicy. For example:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  allowedUnsafeSysctls:
  - kernel.msg*
  forbiddenSysctls:
  - kernel.shm_rmid_forced

Notice that:

If you allow unsafe sysctls via the allowedUnsafeSysctls field in a PodSecurityPolicy, any pod using such a sysctl will fail to start if the sysctl is not allowed via the --allowed-unsafe-sysctls kubelet flag as well on that node.

  • You can also set a limited number of sysctls on a container-local basis with docker run --sysctl.

I also recommend going through the whole linked documentation as caution is advised because use of unsafe sysctls is at-your-own-risk and can lead to severe problems like wrong behavior of containers, resource shortage or complete breakage of a node.

-- WytrzymaƂy Wiktor
Source: StackOverflow