Merge pull request #32383 from sttts/sttts-sysctl-infra-only

Automatic merge from submit-queue

Only set sysctls for infra containers

We did set the sysctls for each container in a pod. This opens up a way to set un-whitelisted sysctls during upgrade from v1.3:
- set annotation in v1.3 with an un-whitelisted sysctl. Set restartPolicy=Always
- upgrade cluster to v1.4
- kill container process
- un-whitelisted sysctl is set on restart of the killed container.

pkg/kubelet/dockertools/docker_manager.go

@@ -688,6 +688,7 @@ func (dm *DockerManager) runContainer(
 	}
 
 	// Set sysctls if requested
+	if container.Name == PodInfraContainerName {
 		sysctls, unsafeSysctls, err := api.SysctlsFromPodAnnotations(pod.Annotations)
 		if err != nil {
 			dm.recorder.Eventf(ref, api.EventTypeWarning, events.FailedToCreateContainer, "Failed to create docker container %q of pod %q with error: %v", container.Name, format.Pod(pod), err)
@@ -702,6 +703,7 @@ func (dm *DockerManager) runContainer(
 				hc.Sysctls[c.Name] = c.Value
 			}
 		}
+	}
 
 	// If current api version is newer than docker 1.10 requested, set OomScoreAdj to HostConfig
 	result, err := dm.checkDockerAPIVersion(dockerV110APIVersion)