方式一:通过添加一个特权模式的initContainers方式实现
相关yaml可参考
代码语言:yaml复制apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: nginx
name: nginx
namespace: default
spec:
selector:
matchLabels:
k8s-app: nginx
template:
metadata:
labels:
k8s-app: nginx
spec:
containers:
- name: nginx
image: nginx
initContainers:
- name: setsysctl
image: busybox
securityContext:
privileged: true
command:
- sh
args:
- -c
- |
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.core.somaxconn=65535
sysctl -w net.ipv4.ip_local_port_range="30000 65535"方式二:通过给workload的securityContext中设置sysctls参数实现
注意:此方式如果使用了非安全内核参数,必须要先修改节点的kubelet配置,增加--allowed-unsafe-sysctls字段,并允许相关非安全参数,否则创建后,pod会报错SysctlForbidden,并大量不断创建pod,可能将集群搞挂
如何配置允许不安全参数,以及哪些是安全参数,非安全参数等等,可参考官方文档:在 Kubernetes 集群中使用 sysctl
使用该方式相关yaml可参考:
代码语言:yaml复制apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: nginx
name: nginx
namespace: default
spec:
selector:
matchLabels:
k8s-app: nginx
template:
metadata:
labels:
k8s-app: nginx
spec:
securityContext:
sysctls:
- name: net.ipv4.tcp_tw_reuse
value: "1"
- name: net.core.somaxconn
value: "65535"
- name: net.ipv4.ip_local_port_range
value: "30000 65535"
containers:
- name: nginx
image: nginx
