Bug 1917442 - Unable to set protectKernelDefaults
Summary: Unable to set protectKernelDefaults
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node Tuning Operator
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Jiří Mencák
QA Contact: Mike Fiedler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-18 13:50 UTC by Juan Antonio Osorio
Modified: 2021-01-18 15:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-18 15:13:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Juan Antonio Osorio 2021-01-18 13:50:25 UTC 
Description of problem:

Setting the `protectKernelDefaults` kubelet argument as adviced by the CIS benchmark is non-trivial.

Initially, I tried to do this with a MachineConfig-based two-step approach that I documented here: https://jaosorior.dev/2020/protectkerneldefaults-in-openshift/

However, I was recently adviced that this should really be done with the Node Tuning Operator instead.

The idea being that I would create a profile that would set the relevant sysctls that the kubelet needs to start. I would then set the kubelet parameter with a `KubeletConfig` object and it "should work"


Version-Release number of selected component (if applicable):
4.7 & 4.6

Steps to Reproduce:
1. Spawn a cluster and get credentials for it
2. Create the following objects:
---
apiVersion: tuned.openshift.io/v1
kind: Tuned
metadata:
  name: kubelet-defaults
  namespace: openshift-cluster-node-tuning-operator
spec:
  profile:
  - data: |
      [main]
      summary=Defaults for running OpenShift nodes

      [sysctl]
      kernel.keys.root_maxbytes=25000000
      kernel.keys.root_maxkeys=1000000
      kernel.panic=10
      kernel.panic_on_oops=1
      vm.overcommit_memory=1
      vm.panic_on_oom=0
    name: openshift-kubelet-defaults
  recommend:
  - match:
    - label: node-role.kubernetes.io/master
    - label: node-role.kubernetes.io/worker
    - label: node-role.kubernetes.io/infra
    operand:
      debug: false
    priority: 75
    profile: openshift-kubelet-defaults
---
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
  name: master-protect-kernel-defaults
spec:
  machineConfigPoolSelector:
    matchLabels:
      pools.operator.machineconfiguration.openshift.io/master: ""
  kubeletConfig:
    protectKernelDefaults: true
---
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
  name: worker-protect-kernel-defaults
spec:
  machineConfigPoolSelector:
    matchLabels:
      pools.operator.machineconfiguration.openshift.io/worker: ""
  kubeletConfig:
    protectKernelDefaults: true

Actual results:
The MachineConfigOperator start rolling in the changes but the nodes never come up (the kubelet crashes as the sysctl's haven't been set by the operator as they should).

Expected results:
The nodes come up with the relevant parameters set.

Additional info:
If this is expected... then we should document the two-step approach that I mentioned in the blog-post.
Comment 1 Jiří Mencák 2021-01-18 15:13:19 UTC 
Thank you for your report, however, this is not NTO's bug.  NTO is responsible for wrapping around and enabling the Tuned daemon
to run in the OpenShift environment and achieve as much compatibility with its functionality as possible.

Your report is a feature request and those are handled by Jira cards.  However, based on Ryan's comment in
https://bugzilla.redhat.com/show_bug.cgi?id=1898933#c3 , #c6
and looking into this a bit more, we believe there is not much to gain in terms of security by implementing this
as you'll still have to use CAP_SYS_ADMIN by the kubelet and a lot to lose in terms of complexity and potential issues
already pointed out in 1898933.
Note You need to log in before you can comment on or make changes to this bug.