Bug 1898933
| Summary: | set "protectKernelDefaults" by default to "true" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Juan Antonio Osorio <josorior> |
| Component: | Node | Assignee: | Ryan Phillips <rphillips> |
| Node sub component: | Kubelet | QA Contact: | Sunil Choudhary <schoudha> |
| Status: | CLOSED NOTABUG | Docs Contact: | |
| Severity: | medium | ||
| Priority: | unspecified | CC: | aos-bugs, knewcome, mkalinin, rphillips, sreber, travier |
| Version: | 4.7 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-23 14:30:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Juan Antonio Osorio
2020-11-18 10:54:43 UTC
I do not believe we should do this. There are other authoritative components in the system that set the kernel defaults. RHCOS and Node Tuning Operator are the documented components to be changing sysctl tunables. But, wouldn't they still be able to do this since they're handled by CRI-O? CRI-O wouldn't be limited by this flag. On the other hand, `ProtectKernelTunables=true` is merely a code flag for the kubelet not to try to set those defaults. Real protection against such changes should be done on the systemd side by changing the kubelet's service unit. Currently, Kubelet sets the sysctls to what it needs to start up. I do not believe we would enable this option since it creates a dependency on the correct syctls to be installed on the system. Setting the sysctls on Metal or bring-your-own RHEL would require user intervention to make sure the settings were configured correctly. Upgrades from older versions of Openshift could potentially break as well. If the sysctl's would be delivered via the hyperkube rpm, and installed via the systemd unit, this would be feasible and work even in BYO-RHEL environments. I think that shipping the right sysctl values in an RPM for them to be applied at boot time by systemd is more reliable and discover-able that relying on the kubelet setting them later from a list hardcoded in code. This is even more interesting in the RHCOS case where are exist only to set good defaults for OCP. So even if the systemd restrictions and the kubelet config changes were not to be kept (and left for CIS benchmarks users to easily apply via a MC), I think setting the sysctls in an RPM is an improvement. There are two values that are set by the kubelet that are not the default: Nov 23 15:05:56 test1-hdrwh-bootstrap hyperkube[2223]: I1123 15:05:56.874595 2223 container_manager_linux.go:437] Updating kernel flag: vm/overcommit_memory, expected value: 1, actual value: 0 Nov 23 15:05:56 test1-hdrwh-bootstrap hyperkube[2223]: I1123 15:05:56.874694 2223 container_manager_linux.go:437] Updating kernel flag: kernel/panic, expected value: 10, actual value: 0 Making each customer do the work of figuring out which sysctl to set to which value and updating them for each OCP release to have them meet external security requirements is not a great user experience. I think we should do that by default in RHCOS so that it's set to a good default value and tested in CI. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |