-
Notifications
You must be signed in to change notification settings - Fork 791
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sysctl allowList #693
Add sysctl allowList #693
Conversation
Hi @mmirecki It seems to be good feature for tuning/sysctl, especially Kubernetes with multus.
|
a1a1cf9
to
87b11d0
Compare
/etc/cni/tuning/whitelist.conf is not the default
I've set this as the default one. I'll add an override when suggestions appear.
Done |
f28219d
to
330db60
Compare
330db60
to
274984f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I looked, the code seems good to me. I recommend unit-test for the code, in https://github.com/containernetworking/plugins/blob/master/plugins/meta/tuning/tuning_test.go
7ef6b59
to
05cfe66
Compare
@s1061123 , added tests, replied to other comments |
Instead of whitelist, consider allow list, permit list or other variations. |
@mmirecki I agree with @cgoncalves ; would you mind whitelist -> allowlist? |
05cfe66
to
a45a457
Compare
-> allowlist |
a45a457
to
8820efb
Compare
Signed-off-by: mmirecki <mmirecki@redhat.com>
8820efb
to
96c3af8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me. Thank you for the changes!
/lgtm |
Looks good to me. When you have a moment, can you file a PR in https://github.com/containernetworking/cni.dev/ documenting this? Thanks |
@squeed Here's the doc pr: containernetworking/cni.dev#99 |
The tuning-cni allows to set any sysctl on the created container. The admin might however want to restrict the user to a predefined whitelist of sysctls.
This PR is a POC with a proposal on how this could be implemented.
Tuning-cni would try to read a whitelist file from /tuningwhitelist/sysctlwhitelist (NOTE: temporary location only), and check the incoming sysctls agains it. Cni would return error if an unathorized sysctl is detected.
The tuning-cni would behaves as before is the file is missing.
The POC is meant to only show the concept, the actual implementation will probably differ.