Although the container/pod in OpenShift transfer data by IPv4 protocol, and you do not need to worry about the setting of IPv6. But in some case people want to disable IPv6 inside the container without effecting other container/pods or host OS.
Here is an example of the IPv6 info outputed from a container.
|
|
It is not allowed to run sysctl -w
to update a kernel parameter inside
a container for security.
|
|
So what you need to do is to change the kubernetes settings in the DeploymentConfig. Sysctl settings are exposed via Kubernetes, allowing users to modify certain kernel parameters at runtime for namespaces within a container. Only sysctls that are namespaced can be set independently on pods; For namespaced sysctl, please refer here for detail.
Here are the steps:
-
Add below setting to kubeletArguments field in the /etc/origin/node/node-config.yaml file. This will enable Unsafe Sysctls.
1 2 3
kubeletArguments: experimental-allowed-unsafe-sysctls: - net.ipv6.conf.all.disable_ipv6
-
Restart the node service to apply the changes:
1
# systemctl restart atomic-openshift-node
-
Edit DeploymentConfig of the target pod.
1
# oc edit dc/<DeploymentConfig of your pod>
-
Add below settings to the metadata filed inside of template filed, then save and quit. (You may need to create annotations filed if it is not exist.)
1 2 3 4 5 6
spec: .... template: metadata: annotations: security.alpha.kubernetes.io/unsafe-sysctls: net.ipv6.conf.all.disable_ipv6=1
-
Deploy a new container/pod using this updated DeploymentConfig
1
# oc deploy dc/<DeploymentConfig of your pod> --latest
-
When the pod is ready, confirm ipv6 is diabled.
1 2 3 4 5 6 7 8 9
[root@ocp37 ~]# oc exec django-ex-2-22znd -- ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 3: eth0@if41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP link/ether 0a:58:0a:80:00:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.128.0.32/23 brd 10.128.1.255 scope global eth0 valid_lft forever preferred_lft forever