Configuring Allowed Sysctls in MicroK8s Kubernetes Cluster

MicroK8s is a lightweight, easy-to-install Kubernetes distribution that enables developers to run Kubernetes clusters on their local machines. One of the essential aspects of managing a Kubernetes cluster is configuring various parameters to ensure security and performance. In this blog post, we’ll focus on the allowed-unsafe-sysctls flag in the kubelet and how to set it in MicroK8s.

Understanding Sysctls and Kubernetes

Sysctls, short for System Control Parameters, allow users to fine-tune kernel settings in Linux. Kubernetes provides a mechanism to control which sysctls are allowed or denied for containers running within pods. This is crucial for ensuring the security and stability of the cluster, as certain sysctl configurations may have unintended consequences.

The kubelet, a key component of a Kubernetes node, is responsible for managing containers on that node. To control which sysctls are permitted for containers managed by the kubelet, the allowed-unsafe-sysctls flag comes into play.

Setting the allowed-unsafe-sysctls Flag in MicroK8s

Step 1: Edit the microk8s kubelet args

echo "--allowed-unsafe-sysctls='net.*'" >> /var/snap/microk8s/current/args/kubelet

Step 2: Restart microk8s services

sudo microk8s stop
sudo microk8s start

Step 3: Modify a deployment to set a sysctl value

For example, we’ll set TCP congestion control to BBR here. For a deployment, this is set at the same indentation level as the containers: key.

    spec:
      securityContext:
        sysctls:
        - name: net.ipv4.tcp_congestion_control
          value: "bbr"
      containers:

Step 4: Apply the deployment yaml

Generally, this is done via the following, or a similar command:

kubectl apply -f deployment.yaml

Conclusion

Configuring the allowed-unsafe-sysctls flag in MicroK8s gives you control over which sysctl parameters are allowed for containers in your Kubernetes cluster, permitting further configurability in network & performance tuning.