New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for slash as sysctl separator to Pod securityContext field and to PodSecurityPolicy #106834
Add support for slash as sysctl separator to Pod securityContext field and to PodSecurityPolicy #106834
Conversation
/test pull-kubernetes-e2e-gce-ubuntu-containerd |
/sig api-machinery |
/remove-sig api-machinery |
2d8bdca
to
c89d219
Compare
c89d219
to
787f058
Compare
Thanks for your suggestion, it has been changed. |
There are few articles on the Internet about linux sysctl separators, so I also checked the source code of the linux kernel part to verify. linux kernel support sysctl:
ref:
The sysctl also uses the conversion of slashes and dot separator ,at least 10 years ago. I found the source code of procps-ng Sysctl, the earliest version is 3.3.0 I can found, and the conversion of . and / has been implemented at this time, at least 10 years ago(Maybe earlier, but I can't find the source code further forward).
I think that the kernel versions generally used now are greater than version 1.35.7, and the bottom layer of the kernel supports sysctl including slashes. As far as my own understanding is concerned, the linux kernel finally needs to convert dots into slashes to find files under /proc/sys, so it must support slashes. The runc code opencontainers/runc@f7d1401 only adds namespace verification to sysctl, and then uses syscall to call sysctl in 2015. The runc code just adds namespace verification to sysctl, and then calls sysctl. runc 1.1.0 allow slashes in sysctl names, to better match In order to be compatible with runc which does not support slashes to separate namespaces and keys, I have converted the slashes into dot separators before the kubelet calls runc.
So I don't think it has effect on k8s already using |
/milestone v1.25 |
05af97f
to
9566465
Compare
9566465
to
5fca111
Compare
/retest |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
for API changes
/hold for one comment on the e2e test
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mengjiao-liu, mrunalp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/test pull-kubernetes-e2e-kind |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Starting from Kubernetes version 1.23, the kubelet supports the use of either
/
or.
as separators for sysctl names.
For example, you can represent the same sysctl name as
kernel.shm_rmid_forced
using a period as the separator, or askernel/shm_rmid_forced
using a slash as a separator.For more sysctl parameter conversion method details, please refer to the page sysctl.d(5) from the Linux man-pages project.
In 1.25, use relaxed validation everywhere, in other words, Pod SecurityContext and PodSecurityPolicy can supports slash as sysctl separator. And I added the corresponding e2e test.
Ref #102393 (comment)
Which issue(s) this PR fixes:
Fixes #102373
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: