Skip to content

kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes

An XCCDF Rule

Description

Setup required tuned kernel parameters before enabling overwritten protection. Note that depending on the Linux distribution and its version that your cluster nodes are running, these parameters might be already set up for you. Please refer to the rule instructions for a check.

Before enabling kernel parameter overwritten protection default, it's important to check if these values are already set to the required values. If not, it is necessary to first create a MachineConfig object that persist the required sysctl's. The required sysctl's are the following:

kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0

The these need to be enabled via MachineConfig since they need to be available as soon as the node starts and before the Kubelet does. The manifest may look as follows:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-kubelet-sysctls
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A
        mode: 0644
        path: /etc/sysctl.d/90-kubelet.conf
        overwrite: true

This will need to be done for each relevant MachineConfigPool in the cluster.

To configure, follow the directions in the documentation

Rationale

Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.

ID
xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes
Severity
Medium
References
Updated