Hide Forgot
Description of problem: After create pod with sysctls value, then edit 'security.alpha.kubernetes.io/sysctls', the value can be changed but can't take effect, this annotations should be immutable. Version-Release number of selected component (if applicable): fork_ami_openshift3_clusterinfra_public_178_299 How reproducible: Always Steps to Reproduce: 1.Create a pod with safe sysctls oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-safe.yaml 2.When the pod is running check the safe value works [root@dhcp-128-7 dma]# oc get pod NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 32s [root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/kernel/shm_rmid_forced 1 3.Update 'security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=0' [root@dhcp-128-7 dma]# oc patch pod hello-pod -p '{"metadata":{"annotations":{"security.alpha.kubernetes.io/sysctls":"kernel.shm_rmid_forced=0"}}}' "hello-pod" patched [root@dhcp-128-7 dma]# oc get pod hello-pod -o json|grep shm_rmid_forced "security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=0" 4.Check the sysctls value again in container [root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/kernel/shm_rmid_forced 1 Actual results: 3.Update sysctls value successfully 4.The value is still same with step2. Expected results: 3.When update should tip sysctls is immutable Additional info:
Good point. Do we have that for other alpha features like seccomp or AppArmor?
The seccomp annotations can be edited now, which should also be immutable.
Here is a corresponding upstream issue where (among other things) mutable annotations are discussed: https://github.com/kubernetes/kubernetes/issues/30819. This cannot be solved for sysctls alone.
This is working as designed. The annotations are evaluated when the pod is received by the system. Changes to them do not take effect.