Cannot persistently enable unsafe Sysctl parameters in TCA Nodepool configuration
search cancel

Cannot persistently enable unsafe Sysctl parameters in TCA Nodepool configuration

book

Article ID: 418375

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

When attempting to enable "unsafe" kernel parameters (sysctls) for a Kubernetes Node Pool within the VMware Telco Cloud Automation (TCA) user interface by modifying the allowed-unsafe-sysctls variable, the changes disappear or are not applied after the update is saved and the node pool is reconciled.

Parameters using a comma-separated string with the YAML multiline indicator (>-):

  allowed-unsafe-sysctls: >-  
    net.ipv4.tcp_keepalive_time,net.ipv4.tcp_keepalive_intvl,net.ipv4.tcp_keepalive_probes

Environment

TCA 3.x

Cause

The configuration is being rejected by the underlying TCA or Kubernetes parser due to incorrect YAML formatting used for the allowed-unsafe-sysctls field.

When the allowed-unsafe-sysctls key is processed, it expects a YAML list (array) of strings, not a single comma-separated string, even when using the multiline string indicator (>-). The use of >- with a comma-separated string causes the parser to treat the entire value as one single, invalid list item, leading to the configuration disappearing or being ignored upon reconciliation.

Resolution

Use the YAML list (array) format for the allowed-unsafe-sysctls field:

allowed-unsafe-sysctls:
      - net.ipv4.tcp_keepalive_time
      - net.ipv4.tcp_keepalive_intvl
      - net.ipv4.tcp_keepalive_probes

 

Additional Information

As an alternative to using the allowed-unsafe-sysctls Kubelet extra argument, you can make the kernel parameter persistent directly within the operating system of the Kubernetes nodes by adding the parameters to the host's /etc/sysctl.conf file.

Powered by Wolken Software