openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
bbb545cb0fcaa08f95e0853d83a491c841bbb333
openshift-docs/modules/update-network-sysctl-allowlist.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

218 lines
5.8 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * nodes/containers/nodes-containers-sysctls.adoc
:_mod-docs-content-type: PROCEDURE
[id="updating-interface-specific-safe-sysctls-list_{context}"]
= Updating the interface-specific safe sysctls list
{product-title} includes a predefined list of safe interface-specific `sysctls`. You can modify this list by updating the `cni-sysctl-allowlist` in the `openshift-multus` namespace.
:FeatureName: The support for updating the interface-specific safe sysctls list
include::snippets/technology-preview.adoc[leveloffset=+1]
Follow this procedure to modify the predefined list of safe `sysctls`. This procedure describes how to extend the default allow list.
.Procedure
. View the existing predefined list by running the following command:
+
[source,terminal]
----
$ oc get cm -n openshift-multus cni-sysctl-allowlist -oyaml
----
+
.Expected output
+
[source,terminal,subs="attributes+"]
----
apiVersion: v1
data:
allowlist.conf: |-
^net.ipv4.conf.IFNAME.accept_redirects$
^net.ipv4.conf.IFNAME.accept_source_route$
^net.ipv4.conf.IFNAME.arp_accept$
^net.ipv4.conf.IFNAME.arp_notify$
^net.ipv4.conf.IFNAME.disable_policy$
^net.ipv4.conf.IFNAME.secure_redirects$
^net.ipv4.conf.IFNAME.send_redirects$
^net.ipv6.conf.IFNAME.accept_ra$
^net.ipv6.conf.IFNAME.accept_redirects$
^net.ipv6.conf.IFNAME.accept_source_route$
^net.ipv6.conf.IFNAME.arp_accept$
^net.ipv6.conf.IFNAME.arp_notify$
^net.ipv6.neigh.IFNAME.base_reachable_time_ms$
^net.ipv6.neigh.IFNAME.retrans_time_ms$
kind: ConfigMap
metadata:
annotations:
kubernetes.io/description: |
Sysctl allowlist for nodes.
release.openshift.io/version: {product-version}.0-0.nightly-2022-11-16-003434
creationTimestamp: "2022-11-17T14:09:27Z"
name: cni-sysctl-allowlist
namespace: openshift-multus
resourceVersion: "2422"
uid: 96d138a3-160e-4943-90ff-6108fa7c50c3
----
. Edit the list by using the following command:
+
[source,terminal]
----
$ oc edit cm -n openshift-multus cni-sysctl-allowlist -oyaml
----
+
For example, to allow you to be able to implement stricter reverse path forwarding you need to add `^net.ipv4.conf.IFNAME.rp_filter$` and `^net.ipv6.conf.IFNAME.rp_filter$` to the list as shown here:
+
[source,terminal]
----
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
allowlist.conf: |-
^net.ipv4.conf.IFNAME.accept_redirects$
^net.ipv4.conf.IFNAME.accept_source_route$
^net.ipv4.conf.IFNAME.arp_accept$
^net.ipv4.conf.IFNAME.arp_notify$
^net.ipv4.conf.IFNAME.disable_policy$
^net.ipv4.conf.IFNAME.secure_redirects$
^net.ipv4.conf.IFNAME.send_redirects$
^net.ipv4.conf.IFNAME.rp_filter$
^net.ipv6.conf.IFNAME.accept_ra$
^net.ipv6.conf.IFNAME.accept_redirects$
^net.ipv6.conf.IFNAME.accept_source_route$
^net.ipv6.conf.IFNAME.arp_accept$
^net.ipv6.conf.IFNAME.arp_notify$
^net.ipv6.neigh.IFNAME.base_reachable_time_ms$
^net.ipv6.neigh.IFNAME.retrans_time_ms$
^net.ipv6.conf.IFNAME.rp_filter$
----
. Save the changes to the file and exit.
+
[NOTE]
====
The removal of `sysctls` is also supported. Edit the file, remove the `sysctl` or `sysctls` then save the changes and exit.
====
.Verification
Follow this procedure to enforce stricter reverse path forwarding for IPv4.
For more information on reverse path forwarding see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding[Reverse Path Forwarding
].
. Create a network attachment definition, such as `reverse-path-fwd-example.yaml`, with the following content:
+
[source,yaml]
----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: tuningnad
namespace: default
spec:
config: '{
"cniVersion": "0.4.0",
"name": "tuningnad",
"plugins": [{
"type": "bridge"
},
{
"type": "tuning",
"sysctl": {
"net.ipv4.conf.IFNAME.rp_filter": "1"
}
}
]
}'
----
. Apply the yaml by running the following command:
+
[source,terminal]
----
$ oc apply -f reverse-path-fwd-example.yaml
----
+
.Example output
[source,terminal]
----
networkattachmentdefinition.k8.cni.cncf.io/tuningnad created
----
. Create a pod such as `examplepod.yaml` using the following YAML:
+
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
name: example
labels:
app: httpd
namespace: default
annotations:
k8s.v1.cni.cncf.io/networks: tuningnad <1>
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: httpd
image: 'image-registry.openshift-image-registry.svc:5000/openshift/httpd:latest'
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
----
<1> Specify the name of the configured `NetworkAttachmentDefinition`.
. Apply the yaml by running the following command:
+
[source,terminal]
----
$ oc apply -f examplepod.yaml
----
. Verify that the pod is created by running the following command:
+
[source,terminal]
----
$ oc get pod
----
+
.Example output
[source,terminal]
----
NAME READY STATUS RESTARTS AGE
example 1/1 Running 0 47s
----
. Log in to the pod by running the following command:
+
[source,terminal]
----
$ oc rsh example
----
. Verify the value of the configured sysctl flag. For example, find the value `net.ipv4.conf.net1.rp_filter` by running the following command:
+
[source,terminal]
----
sh-4.4# sysctl net.ipv4.conf.net1.rp_filter
----
+
.Expected output
[source,terminal]
----
net.ipv4.conf.net1.rp_filter = 1
----
View Git Blame Copy Permalink