Configuring Sysctls in Pod Security Context and Taints

scheduled, but will fail to launch. With the warning above in mind, the cluster admin can allow certain _unsafe_ sysctls for very special situations such as high-performance or real-time application tuning. _Unsafe_ sysctls are enabled on a node-by-node basis with a flag of the kubelet; for example: ```shell kubelet --allowed-unsafe-sysctls \ 'kernel.msg*,net.core.somaxconn' ... ``` For {{< glossary_tooltip term_id="minikube" >}}, this can be done via the `extra-config` flag: ```shell minikube start --extra-config="kubelet.allowed-unsafe-sysctls=kernel.msg*,net.core.somaxconn"... ``` Only _namespaced_ sysctls can be enabled this way. ## Setting Sysctls for a Pod A number of sysctls are _namespaced_ in today's Linux kernels. This means that they can be set independently for each pod on a node. Only namespaced sysctls are configurable via the pod securityContext within Kubernetes. The following sysctls are known to be namespaced. This list could change in future versions of the Linux kernel. - `kernel.shm*`, - `kernel.msg*`, - `kernel.sem`, - `fs.mqueue.*`, - Those `net.*` that can be set in container networking namespace. However, there are exceptions (e.g., `net.netfilter.nf_conntrack_max` and `net.netfilter.nf_conntrack_expect_max` can be set in container networking namespace but are unnamespaced before Linux 5.12.2). Sysctls with no namespace are called _node-level_ sysctls. If you need to set them, you must manually configure them on each node's operating system, or by using a DaemonSet with privileged containers. Use the pod securityContext to configure namespaced sysctls. The securityContext applies to all containers in the same pod. This example uses the pod securityContext to set a safe sysctl `kernel.shm_rmid_forced` and two unsafe sysctls `net.core.somaxconn` and `kernel.msgmax`. There is no distinction between _safe_ and _unsafe_ sysctls in the specification. {{< warning >}} Only modify sysctl parameters after you understand their effects, to avoid destabilizing your operating system. {{< /warning >}} ```yaml apiVersion: v1 kind: Pod metadata: name: sysctl-example spec: securityContext: sysctls: - name: kernel.shm_rmid_forced value: "0" - name: net.core.somaxconn value: "1024" - name: kernel.msgmax value: "65536" ... ```  {{< warning >}} Due to their nature of being _unsafe_, the use of _unsafe_ sysctls is at-your-own-risk and can lead to severe problems like wrong behavior of containers, resource shortage or complete breakage of a node. {{< /warning >}} It is good practice to consider nodes with special sysctl settings as _tainted_ within a cluster, and only schedule pods onto them which need those sysctl settings. It is suggested to use the Kubernetes [_taints and toleration_ feature](/docs/reference/generated/kubectl/kubectl-commands/#taint) to implement this. A pod with the _unsafe_ sysctls will fail to launch on any node which has not enabled those two _unsafe_ sysctls explicitly. As with _node-level_ sysctls it is recommended to use [_taints and toleration_ feature](/docs/reference/generated/kubectl/kubectl-commands/#taint) or [taints on nodes](/docs/concepts/scheduling-eviction/taint-and-toleration/) to schedule those pods onto the right nodes.

This section explains how to configure namespaced sysctls using the pod securityContext, providing an example YAML configuration. It distinguishes between namespaced and node-level sysctls, noting that node-level sysctls must be configured manually on each node. It also emphasizes the risks associated with using unsafe sysctls and recommends using Kubernetes taints and tolerations to schedule pods with specific sysctl settings onto appropriate nodes.