Can I disable unsafe sysctl on DigitalOcean Kubernetes?

In Linux, the sysctl interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the /proc/sys/ virtual process file system. These parameters cover various subsystems, such as:

  • Kernel (common prefix: kernel.)
  • Networking (common prefix: net.)
  • Virtual memory (common prefix: vm.)
  • MDADM (common prefix: dev.)

On DigitalOcean, you cannot access the nodes to make configuration changes to the underlying virtual machine. This allows us to maintain supportability and stability for our managed Kubernetes service.

However, you can work around this limitation in the following two ways:

  • Launch a privileged Init Container to set the value inside the container’s net namespace. Works with both namespaced and non-namespaced sysctls.
  • Run a DaemonSet on every node with privileged containers and modify non-namespaced sysctls.

For example, you could launch the following Init Container:

initContainers:
  - command:
    - /bin/sh
    - -c
    - |
      sysctl -w net.core.somaxconn=10000
    image: busybox
    imagePullPolicy: Always
    name: init-sysctl
    resources: {}
    securityContext:
      privileged: true

Kubernetes does not allow any updates in securityContext unless it is a namespaced sysctl.

Health checks often fail due to firewalls or misconfigured backend server software.
Enable DNS caching, use non-shared machine types for the cluster, and scale out or reduce DNS traffic.