Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add sysctl support #34

Closed
16 of 20 tasks
sttts opened this issue Jul 20, 2016 · 77 comments · Fixed by #2613
Closed
16 of 20 tasks

Add sysctl support #34

sttts opened this issue Jul 20, 2016 · 77 comments · Fixed by #2613
Assignees
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Milestone

Comments

@sttts
Copy link
Contributor

sttts commented Jul 20, 2016

Description

This feature aims at extending the current pod specification with support
for namespaced kernel parameters (sysctls) set for each pod.

Scope of work planned for v1.11

  • graduate to beta

Progress Tracker

  • Before Alpha
  • Before Beta
    • Testing is sufficient for beta
    • User docs with tutorials
      • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
      • cc @kubernetes/docs on docs: Promote sysctls to Beta website#8804
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • Thorough API review
      • cc @kubernetes/api
  • Before Stable
    • docs/proposals/foo.md moved to docs/design/foo.md
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • Soak, load testing
    • detailed user docs and examples
      • cc @kubernetes/docs
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

  • Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

  • Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
  • As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
    and sometimes http://github.com/kubernetes/contrib, or other repos.
  • When you are done with the code, apply the "code-complete" label.
  • When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
    check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
    testing. They won't do detailed code review: that already happened when your PRs were reviewed.
    When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

  • Write user docs and get them merged in.
  • User docs go into http://github.com/kubernetes/kubernetes.github.io.
  • When the feature has user docs, please add a comment mentioning @kubernetes/docs.
  • When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.
@idvoretskyi idvoretskyi added this to the v1.4 milestone Jul 20, 2016
@idvoretskyi idvoretskyi added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Aug 4, 2016
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Aug 25, 2016
Automatic merge from submit-queue

Add sysctl support

Implementation of proposal #26057, feature  kubernetes/enhancements#34

TODO:
- [x] change types.go
- [x] implement docker and rkt support
- [x] add e2e tests
- [x] decide whether we want apiserver validation
- ~~[ ] add documentation~~: api docs exist. Existing PodSecurityContext docs is very light and links back to the api docs anyway: https://github.com/kubernetes/kubernetes.github.io/blob/6684555ed9e3121388d30e9c49ac6556ef0241e0/docs/user-guide/security-context.md
- [x] change PodSecurityPolicy in types.go
- [x] write admission controller support for PodSecurityPolicy
- [x] write e2e test for PodSecurityPolicy
- [x] make sure we are compatible in the sense of https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api_changes.md
- [x] test e2e with rkt: it only works with kubenet, not with no-op network plugin. The later has no sysctl support.
- ~~[ ] add RunC implementation~~ (~~if that is already in kube,~~ it isn't)
- [x] update whitelist
- [x] switch PSC fields to annotations
- [x] switch PSP fields to annotations
- [x] decide about `--experimental-whitelist-sysctl` flag to be additive or absolute
- [x] decide whether to add a sysctl node whitelist annotation

### Release notes:

```release-note
The pod annotation `security.alpha.kubernetes.io/sysctls` now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range`, `net.ipv4.tcp_max_syn_backlog` and `net.ipv4.tcp_syncookies` for Kubernetes 1.4.

The pod annotation  `security.alpha.kubernetes.io/unsafeSysctls` allows customization of namespaced sysctls where isolation is unclear. Unsafe sysctls must be enabled at-your-own-risk on the kubelet with the `--experimental-allowed-unsafe-sysctls` flag. Future versions will improve on resource isolation and more sysctls will be considered safe.
```
@sttts
Copy link
Contributor Author

sttts commented Sep 1, 2016

@kubernetes/docs here are the sysctl docs: kubernetes/website#1126

@sttts
Copy link
Contributor Author

sttts commented Sep 1, 2016

/cc @kubernetes/feature-reviewers

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2018
@sttts sttts added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Jan 2, 2018
@sttts
Copy link
Contributor Author

sttts commented Mar 9, 2018

There are a number of people using sysctls now. I have not heard any issues with them.

I suggest to promote the current API (transformed to native fields in the PSP and on pods) to beta for 1.11.

@jeremyeder @vishh @derekwaynecarr @php-coder

@kubernetes/sig-node-api-reviews

@k8s-ci-robot k8s-ci-robot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Mar 9, 2018
@sttts sttts modified the milestones: v1.4, v1.11 Mar 21, 2018
@jeremyeder
Copy link

Thanks, @sttts!

@derekwaynecarr
Copy link
Member

@sttts it needs a feature gate.

from node side, it would be @sjenning who could help push this in sig-node. will sync w/ @dchen1107 next week. we discussed this briefly in last weeks sig-node.

@sttts
Copy link
Contributor Author

sttts commented Mar 21, 2018

@derekwaynecarr in the kubelet not much would change code-wise. But of course we need a "go" from the node team that they think using sysctls is safe enough for beta. Note, that graduation to beta does not say anything about extending the list of safe sysctls.

It's already feature gated. As beta we would switch the default to true. Doesn't look like we had a feature gate sjenning/kubernetes@f4f7220

@justaugustus
Copy link
Member

@sttts
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@php-coder
Copy link
Contributor

@sttts Do we need to wait until pod annotations become fields or it doesn't block us from graduating it to beta?

@liggitt
Copy link
Member

liggitt commented Apr 17, 2018

@sttts Do we need to wait until pod annotations become fields or it doesn't block us from graduating it to beta?

yes, they need to become fields

@justaugustus
Copy link
Member

@php-coder @liggitt so just to clarify, no work planned for 1.11?
Also, would you mind updating the description to fit the new feature description template?

@sttts
Copy link
Contributor Author

sttts commented Apr 17, 2018

@justaugustus promotion to beta is discussed in sig-node /cc @derekwaynecarr

@sjenning
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 23, 2018
@pacoxu
Copy link
Member

pacoxu commented Feb 8, 2021

We may update it.
/remove-lifecycle rotten

Graduation Criteria:

  • API changes allowing to configure the pod-scoped sysctl via spec.securityContext field.(cancelled)
  • Promote --experimental-allowed-unsafe-sysctls kubelet flag to kubelet config api option
  • feature gate enabled by default
  • e2e tests promote WIP
  • documentation

Some discussion in
https://docs.google.com/document/d/1FbThdQQVNPISNjK4IEqfliuRCA6pLbUiayb3OASOXHA/edit?usp=sharing

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 8, 2021
@arunmk
Copy link

arunmk commented Feb 8, 2021

Hi @pacoxu @ehashman

Enhancements Freeze is 2 days away, Feb 9th EOD PST

Enhancements team is aware that KEP update is currently in progress (as per comment). Please make sure to work on PRR questionnaires and requirements and get it merged before the freeze. For PRR related questions or to boost the PR for PRR review, please reach out in slack #prod-readiness

The KEP looks good.

Any enhancements that do not complete the following requirements by the freeze will require an exception.

[DONE] The KEP must be merged in an implementable state: state is currently provisional
[DONE] The KEP must have test plans
[DONE] The KEP must have graduation criteria
[DONE] The KEP must have a production readiness review: needs file under https://github.com/kubernetes/enhancements/tree/master/keps/prod-readiness/sig-node

EDIT: updated status in place. Thanks for the update @ehashman .

@ehashman
Copy link
Member

ehashman commented Feb 8, 2021

I will try to get the KEP doc updated today.

@ehashman
Copy link
Member

ehashman commented Feb 9, 2021

@arunmk this is now good to go for 1.21

@arunmk
Copy link

arunmk commented Feb 9, 2021

Thanks @ehashman . I am looking at it now and will update the status in-place.

@arunmk
Copy link

arunmk commented Feb 20, 2021

Hi @ehashman, @pacoxu,

Since your Enhancement is scheduled to be in 1.21, please keep in mind the important upcoming dates:

  • Tuesday, March 9th: Week 9 - Code Freeze
  • Tuesday, March 16th: Week 10 - Docs Placeholder PR deadline
    • If this enhancement requires new docs or modification to existing docs, please follow the steps in the Open a placeholder PR doc to open a PR against k/website repo.

As a reminder, please link all of your k/k PR(s) and k/website PR(s) to this issue so we can track them.

Thanks!

@pacoxu
Copy link
Member

pacoxu commented Feb 20, 2021

I will work on the flag promotion today:

Read the history implementation and do a summary for this feature:

  1. 1.4 add security.alpha.kubernetes.io/unsafe-sysctls annotation support, move to client-go annotation_key_constants.go in 1.7 , move to pkg/api/ annotation_key_constants.go in 1.8, move to pkg/apis/core/ in 1.9-1.10.
  2. 1.11 Promote sysctl annotations to fields kubernetes#63717 Promote sysctl annotations to fields. Add feature gate sysctls, meanwhile, the kubelet "experimental-allowed-unsafe-sysctls" promote to "allowed-unsafe-sysctls".
  3. 1.14 Remove Sysctls feature gate from validation kubernetes#72752 Moves feature gate checking of Sysctls out of validation into strategy utility methods, and avoids dropping data on update.
  4. 1.16 kubelet: add allowed sysctl to KubeletConfiguration kubernetes#72974 by @sjenning: kubelet: add allowed sysctl to KubeletConfiguration (add support in kubeadm as well)
  5. 1.21 GA and lock to true: Graduate sysctls to GA  kubernetes#99158
  6. 1.23 Remove the feature gate.

@arunmk
Copy link

arunmk commented Mar 2, 2021

Hi @pacoxu,

Enhancements team is currently tracking the following PR

With the PR merged, can we mark this enhancement complete for code freeze or do you have other PR(s) that are being worked on as part of the release?

Thanks

@ehashman
Copy link
Member

ehashman commented Mar 2, 2021

@arunmk currently @wgahnagl is checking if we need to promote e2e tests to conformance as a result of the GA. There are no other code changes.

I'll see about the documentation changes for GA. @pacoxu do you want to take that on or should I find someone else?

@pacoxu
Copy link
Member

pacoxu commented Mar 3, 2021

@ehashman
I will update sysctls docs next week if no one is working on it.

@arunmk
Copy link

arunmk commented Mar 6, 2021

Hi @ehashman, @wgahnagl,

Could you mention if there is going to be a PR for the e2e tests? Code freeze is on 3/9 and it should make it by then. If it's not going to come in this KEP can be marked done.

Thanks!

@arunmk
Copy link

arunmk commented Mar 6, 2021

(Adding this as a note sent to all)

Hi @ehashman @wgahnagl,

A friendly reminder that Code freeze is 3 days away, March 9th EOD PST

Any enhancements that are NOT code complete by the freeze will be removed from the milestone and will require an exception to be added back.

Please also keep in mind that if this enhancement requires new docs or modification to existing docs, you'll need to follow the steps in the Open a placeholder PR doc to open a PR against k/website repo by March 16th EOD PST

Thanks!

@ehashman
Copy link
Member

ehashman commented Mar 8, 2021

Hi @arunmk,

There is a PR for the e2es, however those aren't required to merge by code freeze, they will follow the test freeze deadline. Code changes are complete.

kubernetes/kubernetes#99734

@tengqm
Copy link

tengqm commented Mar 10, 2021

@ehashman @pacoxu Please open a placeholder PR in k/website for tracking. Thanks.

@pacoxu
Copy link
Member

pacoxu commented Mar 10, 2021

@tengqm I opened kubernetes/website#26981 for tracking.

@annajung
Copy link
Contributor

annajung commented Apr 8, 2021

Hi @ehashman, @pacoxu

Can you update the kep.yaml to reflect a status of implemented:

Once that merges, we can close out this issue.

@pacoxu
Copy link
Member

pacoxu commented Apr 8, 2021

Fine

@JamesLaverack JamesLaverack added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Apr 25, 2021
howardjohn pushed a commit to howardjohn/enhancements that referenced this issue Oct 21, 2022
…ubernetes#34)

* Add feature page for following feature: Istio Authorizatio [Beta]

* Update authorization.md

Add link to blog: Large Scale Security Policy Performance Tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
None yet
Development

Successfully merging a pull request may close this issue.