openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/nw-cfg-tuning-interface-cni.adoc
Steven Smith 9aacac290f Updates core cluster network settings docs
2026-01-21 14:47:46 +00:00

173 lines
4.5 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * networking/setting-interface-level-network-sysctls.adoc
:_mod-docs-content-type: PROCEDURE
[id="nw-configuring-tuning-cni_{context}"]
= Configuring system controls by using the tuning CNI
[role="_abstract"]
To configure interface-level network sysctls in {product-title}, you can use the tuning CNI meta plugin in a network attachment definition. Configure the `net.ipv4.conf.IFNAME.accept_redirects` sysctl to enable accepting and sending ICMP-redirected packets.
.Procedure
. Create a network attachment definition, such as `tuning-example.yaml`, with the following content:
+
[source,yaml]
----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: <name>
namespace: default
spec:
config: '{
"cniVersion": "0.4.0",
"name": "<name>",
"plugins": [{
"type": "<main_CNI_plugin>"
},
{
"type": "tuning",
"sysctl": {
"net.ipv4.conf.IFNAME.accept_redirects": "1"
}
}
]
}
----
+
where:
+
--
`name`:: Specifies the name for the additional network attachment to create. The name must be unique within the specified namespace.
`namespace`:: Specifies the namespace that the object is associated with.
`cniVersion`:: Specifies the CNI specification version.
`name`:: Specifies the name for the configuration. It is recommended to match the configuration name to the name value of the network attachment definition.
`main_CNI_plugin`:: Specifies the name of the main CNI plugin to configure.
`tuning`:: Specifies the name of the CNI meta plugin.
`sysctl`:: Specifies the sysctl to set. The interface name is represented by the `IFNAME` token and is replaced with the actual name of the interface at runtime.
--
+
.Example network attachment definition
[source,yaml]
----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: tuningnad
namespace: default
spec:
config: '{
"cniVersion": "0.4.0",
"name": "tuningnad",
"plugins": [{
"type": "bridge"
},
{
"type": "tuning",
"sysctl": {
"net.ipv4.conf.IFNAME.accept_redirects": "1"
}
}
]
}'
----
. Apply the YAML by running the following command:
+
[source,terminal]
----
$ oc apply -f tuning-example.yaml
----
+
.Example output
[source,terminal]
----
networkattachmentdefinition.k8.cni.cncf.io/tuningnad created
----
. Create a pod such as `examplepod.yaml` with the network attachment definition similar to the following:
+
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
name: tunepod
namespace: default
annotations:
k8s.v1.cni.cncf.io/networks: tuningnad
spec:
containers:
- name: podexample
image: centos
command: ["/bin/bash", "-c", "sleep INF"]
securityContext:
runAsUser: 2000
runAsGroup: 3000
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
----
+
where:
+
--
`k8s.v1.cni.cncf.io/networks`:: Specifies the name of the configured `NetworkAttachmentDefinition`.
`runAsUser`:: Specifies which user ID the container is run with.
`runAsGroup`:: Specifies which primary group ID the containers is run with.
`allowPrivilegeEscalation`:: Specifies if a pod can request to allow privilege escalation. If unspecified, it defaults to true. This boolean directly controls whether the `no_new_privs` flag gets set on the container process.
`capabilities`:: Specifies privileged actions without giving full root access. This policy ensures all capabilities are dropped from the pod.
`runAsNonRoot: true`:: Specifies that the container will run with a user with any UID other than 0.
`seccompProfile`:: Specifies the default seccomp profile for a pod or container workload.
--
. Apply the yaml by running the following command:
+
[source,terminal]
----
$ oc apply -f examplepod.yaml
----
. Verify that the pod is created by running the following command:
+
[source,terminal]
----
$ oc get pod
----
+
.Example output
[source,terminal]
----
NAME READY STATUS RESTARTS AGE
tunepod 1/1 Running 0 47s
----
. Log in to the pod by running the following command:
+
[source,terminal]
----
$ oc rsh tunepod
----
. Verify the values of the configured sysctl flags. For example, find the value `net.ipv4.conf.net1.accept_redirects` by running the following command:
+
[source,terminal]
----
sh-4.4# sysctl net.ipv4.conf.net1.accept_redirects
----
+
.Expected output
[source,terminal]
----
net.ipv4.conf.net1.accept_redirects = 1
----
View Git Blame Copy Permalink