I setup a k8s cluster using microk8s. I wonder how to change the default TCP Keep Alive Value in the Pod. When i apply the yaml file, it will give me allowedUnsafeSysctls error
apiVersion: apps/v1
kind: Deployment
metadata:
name: input-adaptor-deployment
namespace: mgr-ns
spec:
replicas: 1
selector:
matchLabels:
component: input-adaptor
template:
metadata:
labels:
component: input-adaptor
spec:
securityContext:
sysctls:
- name: net.ipv4.tcp_keepalive_intvl
value: "45"
- name: net.ipv4.tcp_keepalive_probes
value: "15"
- name: net.ipv4.tcp_keepalive_time
value: "120"
containers:
- name: input-adaptor
image: registry.development.gitlab/food/input-adaptor
resources:
requests:
memory: '16Mi'
cpu: '100m'
limits:
memory: '80Mi'
cpu: '500m'
ports:
- containerPort: 5003
imagePullSecrets:
- name: registry-credentials-gitlab
:
CodePudding user response:
You need to enable unsafe sysctl settings. See the docs here
https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
There is also some good information in this answer":
Error: Flag --allowed-unsafe-sysctls has been deprecated
Note, you basically need to configure k8s to allow unsafe sysctl settings ie by allowing them you understand the consequences.
CodePudding user response:
As mentioned in the document you need to enable unsafe sysctl settings to fix your error:
Sysctls are grouped into safe and unsafe sysctls. In addition to proper namespacing, a safe sysctl must be properly isolated between pods on the same node. All safe sysctls are enabled by default.All unsafe sysctls are disabled by default and must be allowed manually by the cluster admin on a per-node basis. Pods with disabled unsafe sysctls will be scheduled, but will fail to launch.
The following examples demonstrate how to set operating system TCP keep-alive parameters with an interval value of one minute.
sudo /sbin/sysctl -w net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_intvl=60 net.ipv4.tcp_keepalive_probes=5
To ensure that the settings survive a reboot, add the settings to your /etc/sysctl.conf
file.
Refer to link for more information.