From 2a77eefafdec52ec9a7e2eea0dd48ead418ecc1f Mon Sep 17 00:00:00 2001 From: Valters Jansons Date: Mon, 20 Feb 2023 20:09:13 +0000 Subject: [PATCH] Rename "Enabling Unsafe Sysctls" section Section called "Enabling Unsafe Sysctls" sounds dangerous, when trying to tell someone that `net.ipv4.ip_unprivileged_port_start` is considered a _safe_ sysctl in current Kubernetes versions. The overall explanation of safe and unsafe sysctls should be renamed more generic, and later subsection about how to actually enable unsafes can retain the pre-existing section name. --- content/en/docs/tasks/administer-cluster/sysctl-cluster.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/en/docs/tasks/administer-cluster/sysctl-cluster.md b/content/en/docs/tasks/administer-cluster/sysctl-cluster.md index a66ca9319b..390a92ae62 100644 --- a/content/en/docs/tasks/administer-cluster/sysctl-cluster.md +++ b/content/en/docs/tasks/administer-cluster/sysctl-cluster.md @@ -53,9 +53,9 @@ To get a list of all parameters, you can run sudo sysctl -a ``` -## Enabling Unsafe Sysctls +## Safe and Unsafe Sysctls -Sysctls are grouped into _safe_ and _unsafe_ sysctls. In addition to proper +Kubernetes classes sysctls as either _safe_ or _unsafe_. In addition to proper namespacing, a _safe_ sysctl must be properly _isolated_ between pods on the same node. This means that setting a _safe_ sysctl for one pod @@ -80,6 +80,8 @@ The example `net.ipv4.tcp_syncookies` is not namespaced on Linux kernel version This list will be extended in future Kubernetes versions when the kubelet supports better isolation mechanisms. +### Enabling Unsafe Sysctls + All _safe_ sysctls are enabled by default. All _unsafe_ sysctls are disabled by default and must be allowed manually by the