diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 09fe5fc7c6..988871526e 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -107,6 +107,17 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions, p.Net.DNSOptions = dnsOptions } } + + if pscConfig := podYAML.Spec.SecurityContext; pscConfig != nil { + // Extract sysctl list from pod security context + if options := pscConfig.Sysctls; len(options) > 0 { + sysctlOptions := make([]string, 0, len(options)) + for _, opts := range options { + sysctlOptions = append(sysctlOptions, opts.Name+"="+opts.Value) + } + p.Sysctl = sysctlOptions + } + } return p, nil } diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go index 1988eeb7ac..6d45a728e1 100644 --- a/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go @@ -264,6 +264,10 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) { p.InfraContainerSpec.ConmonPidFile = p.InfraConmonPidFile } + if p.Sysctl != nil && len(p.Sysctl) > 0 { + p.InfraContainerSpec.Sysctl = p.Sysctl + } + p.InfraContainerSpec.Image = p.InfraImage return p.InfraContainerSpec, nil } diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index d20faee592..3b769f6278 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -967,6 +967,49 @@ spec: command: ['sh', '-c', 'ls -l /proc/self/ns/ipc'] ` +var podWithSysctlDefined = ` +apiVersion: v1 +kind: Pod +metadata: + name: test-sysctl +spec: + securityContext: + sysctls: + - name: kernel.msgmax + value: "65535" + - name: net.core.somaxconn + value: "65535" + containers: + - name: alpine + image: quay.io/libpod/alpine:latest + command: + - "/bin/sh" + - "-c" + - "sysctl kernel.msgmax;sysctl net.core.somaxconn" +` + +var podWithSysctlHostNetDefined = ` +apiVersion: v1 +kind: Pod +metadata: + name: test-sysctl +spec: + securityContext: + sysctls: + - name: kernel.msgmax + value: "65535" + - name: net.core.somaxconn + value: "65535" + hostNetwork: true + containers: + - name: alpine + image: quay.io/libpod/alpine:latest + command: + - "/bin/sh" + - "-c" + - "sysctl kernel.msgmax" +` + var ( defaultCtrName = "testCtr" defaultCtrCmd = []string{"top"} @@ -5034,4 +5077,29 @@ spec: Expect(inspect.OutputToString()).To(ContainSubstring("\"Aliases\": [ \"" + ctrName + "\"")) }) + It("podman play kube test with sysctl defined", func() { + SkipIfRootless("Network sysctls are not available for rootless") + err := writeYaml(podWithSysctlDefined, kubeYaml) + Expect(err).ToNot(HaveOccurred()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube).Should(Exit(0)) + + logs := podmanTest.Podman([]string{"pod", "logs", "-c", "test-sysctl-alpine", "test-sysctl"}) + logs.WaitWithDefaultTimeout() + Expect(logs).Should(Exit(0)) + Expect(logs.OutputToString()).To(ContainSubstring("kernel.msgmax = 65535")) + Expect(logs.OutputToString()).To(ContainSubstring("net.core.somaxconn = 65535")) + }) + + It("podman play kube test with sysctl & host network defined", func() { + SkipIfRootless("Network sysctls are not available for rootless") + err := writeYaml(podWithSysctlHostNetDefined, kubeYaml) + Expect(err).ToNot(HaveOccurred()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube).Should(Exit(125)) + }) })