Setup required tuned kernel parameters before enabling overwritten protection. Note
that depending on the Linux distribution and its version that your cluster nodes are
running, these parameters might be already set up for you. Please refer to the rule
instructions for a check.
Before enabling kernel parameter overwritten protection default,
it's important to check if these values are already set to the required values.
If not, it is necessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
The these need to be enabled via MachineConfig since they need to be
available as soon as the node starts and before the Kubelet does.
The manifest may look as follows:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-kubelet-sysctls
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A
mode: 0644
path: /etc/sysctl.d/90-kubelet.conf
overwrite: true
This will need to be done for each relevant MachineConfigPool
in the cluster.
To configure, follow the directions in
the documentation