You can set sysctls on pods using the pod’s securityContext. The securityContext
applies to all containers in the same pod.
Safe sysctls are allowed by default. A pod with unsafe sysctls fails to launch on any node unless the cluster administrator explicitly enables unsafe sysctls for that node. As with node-level sysctls, use the taints and toleration feature or labels on nodes to schedule those pods onto the right nodes.
The following example uses the pod securityContext to set a safe sysctl
kernel.shm_rmid_forced and two unsafe sysctls, net.ipv4.route.min_pmtu and
kernel.msgmax. There is no distinction between safe and unsafe sysctls in
the specification.
|
Warning
|
To avoid destabilizing your operating system, modify sysctl parameters only after you understand their effects. |
To use safe and unsafe sysctls:
-
Modify the YAML file that defines the pod and add the
securityContextspec, as shown in the following example:apiVersion: v1 kind: Pod metadata: name: sysctl-example spec: securityContext: sysctls: - name: kernel.shm_rmid_forced value: "0" - name: net.ipv4.route.min_pmtu value: "552" - name: kernel.msgmax value: "65536" ...
-
Create the pod:
$ oc apply -f <file-name>.yaml
If the unsafe sysctls are not allowed for the node, the pod is scheduled, but does not deploy:
$ oc get pod NAME READY STATUS RESTARTS AGE hello-pod 0/1 SysctlForbidden 0 14s