init container "sysctl: error setting key 'net.ipv4.ip_local_port_range': Read-only file system"

Question

I am trying to remove privileged mode from init container, when i set to priviliged: false. I am getting above error. I had set readOnlyRootFilesystem: false and lines below at the pod securityContext level

  securityContext:
    sysctls:
    - name: net.ipv4.ip_local_port_range
      value: 0 65535

Answer 1

The problem is that you cannot run sysctl without the privileged mode due to security reasons. This is expected since docker restricts access to /proc and /sys.

In order for this to work you need to use the privileged mode for the init container and than either:

• Use sysctls in a Kubernetes Cluster by specifing a proper securityContext for a Pod. For example:

---

  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.core.somaxconn
      value: "1024"
    - name: kernel.msgmax
      value: "65536"

• Use PodSecurityPolicy to control which sysctls can be set in pods by specifying lists of sysctls or sysctl patterns in the forbiddenSysctls and/or allowedUnsafeSysctls fields of the PodSecurityPolicy. For example:

---

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  allowedUnsafeSysctls:
  - kernel.msg*
  forbiddenSysctls:
  - kernel.shm_rmid_forced

Notice that:

If you allow unsafe sysctls via the allowedUnsafeSysctls field in a PodSecurityPolicy, any pod using such a sysctl will fail to start if the sysctl is not allowed via the --allowed-unsafe-sysctls kubelet flag as well on that node.

• You can also set a limited number of sysctls on a container-local basis with docker run --sysctl.

I also recommend going through the whole linked documentation as caution is advised because use of unsafe sysctls is at-your-own-risk and can lead to severe problems like wrong behavior of containers, resource shortage or complete breakage of a node.