File tree Expand file tree Collapse file tree 1 file changed +8
-5
lines changed
content/en/docs/tasks/administer-cluster Expand file tree Collapse file tree 1 file changed +8
-5
lines changed Original file line number Diff line number Diff line change @@ -78,7 +78,10 @@ The following sysctls are supported in the _safe_ set:
7878- ` net.ipv4.ip_unprivileged_port_start ` (since Kubernetes 1.22).
7979
8080{{< note >}}
81- The example ` net.ipv4.tcp_syncookies ` is not namespaced on Linux kernel version 4.4 or lower.
81+ There are some exceptions to the set of safe sysctls:
82+
83+ - The ` net.* ` sysctls are not allowed with host networking enabled.
84+ - The ` net.ipv4.tcp_syncookies ` sysctl is not namespaced on Linux kernel version 4.4 or lower.
8285{{< /note >}}
8386
8487This list will be extended in future Kubernetes versions when the kubelet
@@ -123,10 +126,10 @@ in future versions of the Linux kernel.
123126- ` kernel.msg* ` ,
124127- ` kernel.sem ` ,
125128- ` fs.mqueue.* ` ,
126- - The parameters under ` net.* ` that can be set in container networking
127- namespace. However, there are exceptions (e.g., before Linux 5.12.2,
128- ` net.netfilter.nf_conntrack_max ` and ` net.netfilter.nf_conntrack_expect_max `
129- can be set in container networking namespace but they are unnamespaced).
129+ - Those ` net.* ` that can be set in container networking namespace. However,
130+ there are exceptions (e.g., ` net.netfilter.nf_conntrack_max ` and
131+ ` net.netfilter.nf_conntrack_expect_max ` can be set in container networking
132+ namespace but are unnamespaced before Linux 5.12.2 ).
130133
131134Sysctls with no namespace are called _ node-level_ sysctls. If you need to set
132135them, you must manually configure them on each node's operating system, or by
You can’t perform that action at this time.
0 commit comments