Reputation: 1252
Error setting sysctl parameters "net.ipv4.tcp_retries2" for a specific pod in the AKS cluster
I am working on a requirement wherein we want to update a specific kernel parameter "net.ipv4.tcp_retries2" to "5" in the Kubernetes POD.
We are using AKS cluster v1.21.7
I tried using securityContext to set the above sysctl parameters but it failed
template:
metadata:
labels:
app.kubernetes.io/name: weather-forecast-api
app.kubernetes.io/instance: RELEASE-NAME
spec:
serviceAccountName: RELEASE-NAME-weather-forecast-api
securityContext:
sysctls:
- name: net.ipv4.tcp_retries2
value: "5"
When I applied the above changes in the AKS, the pod failed to run and gave the error
forbidden sysctl: "net.ipv4.tcp_retries2" not whitelisted
I know we can modify kernel-level settings at the Kubelet level on a bare-bone Kubernetes cluster but in my case, it is a managed cluster from Azure.
Upvotes: 4
Views: 2989
Answers (3)
Reputation: 397
Below steps resolved my issue: (This for setting netIpv4TcpFinTimeOut value at the pod level)
- Created a config like below (name as linuxconfig.json)
{
"allowedUnsafeSysctls":[
"net.*"
],
"sysctls": [
"netIpv4TcpFinTimeOut": 20,
]
}
- Added a nodepool with --kubelet-config
az aks nodepool add --name nodepoolname --cluster-name clustername --resource-group resourcegroupname –kubelet-config ./linuxconfig.json
- Created the pod using below YAML:
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
securityContext:
sysctls:
- name: net.ipv4.tcp_fin_timeout
value: "30"
containers:
- name: nginx
image: nginx
Upvotes: 1
Reputation: 167
I solved by passing argument to kubelet.
- Find the path of kubelet configuration file
systemctl status kubelet
It gives the path where kubelet configuration locates. In my case, it is /var/lib/kubelet/config.yaml
- Add allowedUnsafeSysctls option
Add allowedUnsafeSysctls option to the file.
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
...
allowedUnsafeSysctls:
- "net.ipv4.tcp_retries2"
- Restart Kubelet
systemctl restart kubelet
Done! But you should make sure that the pod should be scheduled on the node whose kubelet configuration is changed.
Upvotes: -1
Reputation: 15490
Use an init container to set:
...
template:
metadata:
labels:
app.kubernetes.io/name: weather-forecast-api
app.kubernetes.io/instance: RELEASE-NAME
spec:
serviceAccountName: RELEASE-NAME-weather-forecast-api
initContainers:
- name: sysctl
image: busybox
securityContext:
privileged: true
command: ["sh", "-c", "sysctl -w net.ipv4.tcp_retries2=3"]
...
Upvotes: 8
Related Questions
- Azure AKS - This container service is in a failed state
- Errors when trying to connect to kubernetes
- How to deal with error "dial tcp 10.240.0.4:10250: i/o timeout" to see pod's logs in AKS?
- Request CPU to a pod with Azure AKS is failing
- Azure AKS: Kubernetes pod keeps showing CrashLoopBackOff status after assigning static IP
- AKS - incorrect Pod Status
- intermittent pod communication issue
- 'Unable to connect Net/http: TLS handshake timeout' — Why can't Kubectl connect to Azure Kubernetes server? (AKS)
- aks reporting "Insufficient pods"
- Unable to connect AKS cluster: connection time out