-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.14
-
Moderate
-
None
-
False
-
Description of problem:
The official documentation of 4.14 says that net.ipv4.tcp_keepalive_time is a system-safe sysctl ,but it is actually unsafe.
Version-Release number of selected component (if applicable):
ocp 4.14
How reproducible:
Create a pod in the ocp4.14 environment and use <code> securityContext: sysctls: - name: net.ipv4.tcp_keepalive_time value: '300' <code>
Steps to Reproduce:
1. ocp 4.14 2. Create a pod in the ocp4.14 environment and use 3. Reference yaml file <code> cat sysctl.yaml apiVersion: v1 kind: Pod metadata: name: sysctl-example-safe-unsafe spec: containers: - name: podexample image: registry.redhat.io/openshift4/ose-cli command: ["bin/bash", "-c", "sleep INF"] securityContext: runAsUser: 2000 runAsGroup: 3000 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] securityContext: seccompProfile: type: RuntimeDefault sysctls: - name: net.ipv4.tcp_keepalive_time value: '300' <code>
Actual results:
<code> oc get pod NAME READY STATUS RESTARTS AGE sysctl-example-safe-unsafe 0/1 SysctlForbidden 0 35m oc describe pod sysctl-example-safe-unsafe Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 35m default-scheduler Successfully assigned yawei-test/sysctl-example-safe-unsafe to ip-10-0-47-53.ap-northeast-1.compute.internal Warning SysctlForbidden 35m kubelet forbidden sysctl: "net.ipv4.tcp_keepalive_time" not allowlisted <code>
Expected results:
Pod can be created normally without reporting permission issues
Additional info:
Check that the upstream is added in k8s 1.29, and the corresponding ocp version is 4.16. I tested it in the 4.16 environment and it can be used normally. https://github.com/kubernetes/kubernetes/pull/118846
