kubelet - Enable Protect Kernel Defaults

Protect tuned kernel parameters from being overwritten by the kubelet.

Before enabling this kernel parameter, it's important and necessary to first create a MachineConfig object that persist the required sysctl's. The required sysctl's are the following:

kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0

The these need to be enabled via MachineConfig since they need to be available as soon as the node starts and before the Kubelet does. The manifest may look as follows:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-kubelet-sysctls
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A
        mode: 0644
        path: /etc/sysctl.d/90-kubelet.conf
        overwrite: true

This will need to be done for each relevant MachineConfigPool in the cluster.

After enabling this and after the changes have successfully rolled out to the whole cluster, it will now be possible to set the protectKernelDefaults parameter.

To configure, follow the directions in the documentation