Merge pull request #44170 from hunshcn/sysctl

k8s-ci-robot · web-flow · commit 5e5e9fc2521c · 2023-12-07T14:15:01.000+01:00
update safe sysctls
diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
@@ -271,6 +271,7 @@ fail validation.
 					<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
 					<li><code>net.ipv4.tcp_syncookies</code></li>
 					<li><code>net.ipv4.ping_group_range</code></li>
+					<li><code>net.ipv4.ip_local_reserved_ports</code> (since Kubernetes 1.27)</li>
 				</ul>
 			</td>
 		</tr>
diff --git a/content/en/docs/tasks/administer-cluster/sysctl-cluster.md b/content/en/docs/tasks/administer-cluster/sysctl-cluster.md
@@ -76,6 +76,7 @@ The following sysctls are supported in the _safe_ set:
 - `net.ipv4.tcp_syncookies`,
 - `net.ipv4.ping_group_range` (since Kubernetes 1.18),
 - `net.ipv4.ip_unprivileged_port_start` (since Kubernetes 1.22).
+- `net.ipv4.ip_local_reserved_ports` (since Kubernetes 1.27).
 
 {{< note >}}
 There are some exceptions to the set of safe sysctls:
