×

In Linux, sysctl allows an administrator to modify kernel parameters at runtime. You can modify interface-level network sysctls using the tuning Container Network Interface (CNI) meta plug-in. The tuning CNI meta plug-in operates in a chain with a main CNI plug-in as illustrated.

CNI plug-in

The main CNI plug-in assigns the interface and passes this to the tuning CNI meta plug-in at runtime. You can change some sysctls and several interface attributes (promiscuous mode, all-multicast mode, MTU, and MAC address) in the network namespace by using the tuning CNI meta plug-in. In the tuning CNI meta plug-in configuration, the interface name is represented by the IFNAME token, and is replaced with the actual name of the interface at runtime.

In OKD, the tuning CNI meta plug-in only supports changing interface-level network sysctls.

Configuring the tuning CNI

The following procedure configures the tuning CNI to change the interface-level network net.ipv4.conf.IFNAME.accept_redirects sysctl. This example enables accepting and sending ICMP-redirected packets.

Procedure
  1. Create a network attachment definition, such as tuning-example.yaml, with the following content:

    apiVersion: "k8s.cni.cncf.io/v1"
    kind: NetworkAttachmentDefinition
    metadata:
      name: <name> (1)
      namespace: default (2)
    spec:
      config: '{
        "cniVersion": "0.4.0", (3)
        "name": "<name>", (4)
        "plugins": [{
           "type": "<main_CNI_plug-in>" (5)
          },
          {
           "type": "tuning", (6)
           "sysctl": {
                "net.ipv4.conf.IFNAME.accept_redirects": "1" (7)
            }
          }
         ]
    }
    1 Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
    2 Specifies the namespace that the object is associated with.
    3 Specifies the CNI specification version.
    4 Specifies the name for the configuration. It is recommended to match the configuration name to the name value of the network attachment definition.
    5 Specifies the name of the main CNI plug-in to configure.
    6 Specifies the name of the CNI meta plug-in.
    7 Specifies the sysctl to set.

    An example yaml file is shown here:

    apiVersion: "k8s.cni.cncf.io/v1"
    kind: NetworkAttachmentDefinition
    metadata:
      name: tuningnad
      namespace: default
    spec:
      config: '{
        "cniVersion": "0.4.0",
        "name": "tuningnad",
        "plugins": [{
          "type": "bridge"
          },
          {
          "type": "tuning",
          "sysctl": {
             "net.ipv4.conf.IFNAME.accept_redirects": "1"
            }
        }
      ]
    }'
  2. Apply the yaml by running the following command:

    $ oc apply -f tuning-example.yaml
    Example output
    networkattachmentdefinition.k8.cni.cncf.io/tuningnad created
  3. Create a pod such as examplepod.yaml with the network attachment definition similar to the following:

    apiVersion: v1
    kind: Pod
    metadata:
      name: tunepod
      namespace: default
      annotations:
        k8s.v1.cni.cncf.io/networks: tuningnad (1)
    spec:
      containers:
      - name: podexample
        image: centos
        command: ["/bin/bash", "-c", "sleep INF"]
        securityContext:
          runAsUser: 2000 (2)
          runAsGroup: 3000 (3)
          allowPrivilegeEscalation: false (4)
          capabilities: (5)
            drop: ["ALL"]
      securityContext:
        runAsNonRoot: true (6)
        seccompProfile: (7)
          type: RuntimeDefault
    1 Specify the name of the configured NetworkAttachmentDefinition.
    2 runAsUser controls which user ID the container is run with.
    3 runAsGroup controls which primary group ID the containers is run with.
    4 allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the no_new_privs flag gets set on the container process.
    5 capabilities permit privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
    6 runAsNonRoot: true requires that the container will run with a user with any UID other than 0.
    7 RuntimeDefault enables the default seccomp profile for a pod or container workload.
  4. Apply the yaml by running the following command:

    $ oc apply -f examplepod.yaml
  5. Verify that the pod is created by running the following command:

    $ oc get pod
    Example output
    NAME      READY   STATUS    RESTARTS   AGE
    tunepod   1/1     Running   0          47s
  6. Log in to the pod by running the following command:

    $ oc rsh tunepod
  7. Verify the values of the configured sysctl flags. For example, find the value net.ipv4.conf.net1.accept_redirects by running the following command:

    sh-4.4# sysctl net.ipv4.conf.net1.accept_redirects
    Expected output
    net.ipv4.conf.net1.accept_redirects = 1

Additional resources