Configuring Allowed Sysctls in MicroK8s Kubernetes Cluster
Configuring Allowed Sysctls in MicroK8s Kubernetes Cluster
MicroK8s is a lightweight, easy-to-install Kubernetes distribution that enables developers to run Kubernetes clusters on their local machines. One of the essential aspects of managing a Kubernetes cluster is configuring various parameters to ensure security and performance. In this blog post, we’ll focus on the allowed-unsafe-sysctls
flag in the kubelet and how to set it in MicroK8s.
Understanding Sysctls and Kubernetes
Sysctls, short for System Control Parameters, allow users to fine-tune kernel settings in Linux. Kubernetes provides a mechanism to control which sysctls are allowed or denied for containers running within pods. This is crucial for ensuring the security and stability of the cluster, as certain sysctl configurations may have unintended consequences.
The kubelet, a key component of a Kubernetes node, is responsible for managing containers on that node. To control which sysctls are permitted for containers managed by the kubelet, the allowed-unsafe-sysctls
flag comes into play.
Setting the allowed-unsafe-sysctls
Flag in MicroK8s
Step 1: Edit the microk8s kubelet args
echo "--allowed-unsafe-sysctls='net.*'" >> /var/snap/microk8s/current/args/kubelet
Step 2: Restart microk8s services
sudo microk8s stop
sudo microk8s start
Step 3: Modify a deployment to set a sysctl value
For example, we’ll set TCP congestion control to BBR here. For a deployment, this is set at the same indentation level as the containers:
key.
spec:
securityContext:
sysctls:
- name: net.ipv4.tcp_congestion_control
value: "bbr"
containers:
Step 4: Apply the deployment yaml
Generally, this is done via the following, or a similar command:
kubectl apply -f deployment.yaml
Conclusion
Configuring the allowed-unsafe-sysctls
flag in MicroK8s gives you control over which sysctl parameters are allowed for containers in your Kubernetes cluster, permitting further configurability in network & performance tuning.