Merge pull request #11506 from k8s-infra-cherrypick-robot/cherry-pick-11502-to-release/2.0
[release/2.0] docs: include note about unprivileged sysctls
This commit is contained in:
Phil Estes
@@ -87,6 +87,10 @@ This features needs [runc](https://github.com/opencontainers/runc) v1.2.0 or lat
|
|||||||
|
|
||||||
The CRI plugin now supports [recursive read-only mounts](https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) so as to prohibit accidentally having writable submounts.
|
The CRI plugin now supports [recursive read-only mounts](https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) so as to prohibit accidentally having writable submounts.
|
||||||
|
|
||||||
|
### Unprivileged ports and ICMP by default for CRI
|
||||||
|
|
||||||
|
The CRI plugin now enables `net.ipv4.ip_unprivileged-port-start=0` and `net.ipv4.ping_group_range=0 2147483647` for containers that do not use the host network namespace or user namespaces. This enables containers to bind to ports below 1024 without granting `CAP_NET_BIND_SERVICE` and to run `ping` without `CAP_NET_RAW`. This default behavior change can be reverted by setting the `enable_unprivileged_ports` and `enable_unprivileged_icmp` options to `false` in the CRI plugin configuration.
|
||||||
|
|
||||||
### Deprecation warnings can now be discovered via the Introspection API
|
### Deprecation warnings can now be discovered via the Introspection API
|
||||||
|
|
||||||
Deprecations warnings have been added to the `ServerResponse` for the introspection service (`/containerd.services.introspection.v1.Introspection/Server`) and to the `ctr` tool via `ctr deprecation list`.
|
Deprecations warnings have been added to the `ServerResponse` for the introspection service (`/containerd.services.introspection.v1.Introspection/Server`) and to the `ctr` tool via `ctr deprecation list`.
|
||||||
|
|||||||
@@ -375,13 +375,10 @@ type RuntimeConfig struct {
|
|||||||
// EnableUnprivilegedPorts configures net.ipv4.ip_unprivileged_port_start=0
|
// EnableUnprivilegedPorts configures net.ipv4.ip_unprivileged_port_start=0
|
||||||
// for all containers which are not using host network
|
// for all containers which are not using host network
|
||||||
// and if it is not overwritten by PodSandboxConfig
|
// and if it is not overwritten by PodSandboxConfig
|
||||||
// Note that currently default is set to disabled but target change it in future, see:
|
|
||||||
// https://github.com/kubernetes/kubernetes/issues/102612
|
|
||||||
EnableUnprivilegedPorts bool `toml:"enable_unprivileged_ports" json:"enableUnprivilegedPorts"`
|
EnableUnprivilegedPorts bool `toml:"enable_unprivileged_ports" json:"enableUnprivilegedPorts"`
|
||||||
// EnableUnprivilegedICMP configures net.ipv4.ping_group_range="0 2147483647"
|
// EnableUnprivilegedICMP configures net.ipv4.ping_group_range="0 2147483647"
|
||||||
// for all containers which are not using host network, are not running in user namespace
|
// for all containers which are not using host network, are not running in user namespace
|
||||||
// and if it is not overwritten by PodSandboxConfig
|
// and if it is not overwritten by PodSandboxConfig
|
||||||
// Note that currently default is set to disabled but target change it in future together with EnableUnprivilegedPorts
|
|
||||||
EnableUnprivilegedICMP bool `toml:"enable_unprivileged_icmp" json:"enableUnprivilegedICMP"`
|
EnableUnprivilegedICMP bool `toml:"enable_unprivileged_icmp" json:"enableUnprivilegedICMP"`
|
||||||
// EnableCDI indicates to enable injection of the Container Device Interface Specifications
|
// EnableCDI indicates to enable injection of the Container Device Interface Specifications
|
||||||
// into the OCI config
|
// into the OCI config
|
||||||
|
|||||||
Reference in New Issue
Block a user