kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rename "Enabling Unsafe Sysctls" section 

Section called "Enabling Unsafe Sysctls" sounds dangerous, when trying
to tell someone that `net.ipv4.ip_unprivileged_port_start` is
considered a _safe_ sysctl in current Kubernetes versions. The overall
explanation of safe and unsafe sysctls should be renamed more generic,
and later subsection about how to actually enable unsafes can retain
the pre-existing section name.
This commit is contained in:
Valters Jansons 2023-02-20 20:09:13 +00:00
parent c539208a0b
commit 2a77eefafd
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/en/docs/tasks/administer-cluster/sysctl-cluster.md
View File

@ -53,9 +53,9 @@ To get a list of all parameters, you can run
sudo sysctl -a
```
## Enabling Unsafe Sysctls
## Safe and Unsafe Sysctls
Sysctls are grouped into _safe_ and _unsafe_ sysctls. In addition to proper
Kubernetes classes sysctls as either _safe_ or _unsafe_. In addition to proper
namespacing, a _safe_ sysctl must be properly _isolated_ between pods on the
same node. This means that setting a _safe_ sysctl for one pod
@ -80,6 +80,8 @@ The example `net.ipv4.tcp_syncookies` is not namespaced on Linux kernel version
This list will be extended in future Kubernetes versions when the kubelet
supports better isolation mechanisms.
### Enabling Unsafe Sysctls
All _safe_ sysctls are enabled by default.
All _unsafe_ sysctls are disabled by default and must be allowed manually by the