For Droplets created before 2 October 2024, you must manually add VPC peering routes to interconnect with VPC-native DOKS clusters
Can I disable unsafe sysctl on DigitalOcean Kubernetes?
Validated on 19 Sep 2022 • Last edited on 29 Sep 2023
In Linux, the sysctl
interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the /proc/sys/
virtual process file system. These parameters cover various subsystems, such as:
- Kernel (common prefix: kernel.)
- Networking (common prefix: net.)
- Virtual memory (common prefix: vm.)
- MDADM (common prefix: dev.)
On DigitalOcean, you cannot access the nodes to make configuration changes to the underlying virtual machine. This allows us to maintain supportability and stability for our managed Kubernetes service.
However, you can work around this limitation in the following two ways:
- Launch a privileged Init Container to set the value inside the container’s net namespace. Works with both namespaced and non-namespaced
sysctl
s. - Run a DaemonSet on every node with privileged containers and modify non-namespaced
sysctl
s.
For example, you could launch the following Init Container:
initContainers:
- command:
- /bin/sh
- -c
- |
sysctl -w net.core.somaxconn=10000
image: busybox
imagePullPolicy: Always
name: init-sysctl
resources: {}
securityContext:
privileged: true
Kubernetes does not allow any updates in securityContext
unless it is a namespaced sysctl
.
Related Topics
Health checks often fail due to firewalls or misconfigured backend server software.
Enable DNS caching, use non-shared machine types for the cluster, and scale out or reduce DNS traffic.