protectKernelDefaults is an option for kubelet that is recommended to set when hardening your K8s cluster. It will ensure that the system has specific system settings configured exactly as desired by kubelet, and if for some reason these setting are modified or reverted, kubelet will refuse to start to prevent the node from running in an undesired state.
The three specific system tunables that this option looks for are:
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
Before you can enable this flag, you must configure the OS on every machine you are provisioning so that kubelet doesn't just start crashing on deployment. You can use the following to configure your hosts:
Create 90-kubelet.conf with the values below:
sudo tee /etc/sysctl.d/90-kubelet.conf << EOF
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
EOF
Enable the config:
sudo sysctl -p /etc/sysctl.d/90-kubelet.conf
You can now enable this option in Kubernetes. The proper way to do this is to edit the cluster.yaml before applying it and creating the cluster. You can generate a cluster.yaml via the --dry-run flag of the DKP cli:
./dkp create cluster preprovisioned --cluster-name ${CLUSTER_NAME} --control-plane-endpoint-host 10.4.6.40 --virtual-ip-interface ens192 --dry-run -o yaml > ${CLUSTER_NAME}.yaml
You would do this instead of the step listed here which immediately creates the cluster:
https://docs.d2iq.com/dkp/konvoy/2.0/choose_infrastructure/pre-provisioned/create-cluster/
The reason we are generating a cluster.yaml via --dry-run and editing the objects inside before we create the cluster is because they cannot be modified after creation. You can add a kubeletExtraArgs value:
protect-kernel-defaults: "true" to every control plane and worker group, and this will enable --protect-kernel-defaults for you.
You should only have one KubeadmControlPlane object, but you may have multiple KubeadmConfigTemplates, one per pool of separate workers you may have defined. Find each object of the types listed below in the cluster.yaml and add the kubeletExtraArgs value in the location indicated below:
KubeadmControlPlane:
spec:
kubeadmConfigSpec:
initConfiguration:
nodeRegistration:
kubeletExtraArgs:
protect-kernel-defaults: "true"
joinConfiguration:
nodeRegistration:
kubeletExtraArgs:
protect-kernel-defaults: "true"
KubeadmConfigTemplate:
spec:
template:
spec:
joinConfiguration:
nodeRegistration:
kubeletExtraArgs:
protect-kernel-defaults: "true"
After editing, you can apply the cluster.yaml to start the cluster creation.
If you have already created the cluster, the best way is to edit the /var/lib/kubelet/config.yaml file manually on every host in your environment and add protectKernelDefaults: true to this file, then restart kubelet. Do not include quotes when adding directly to the kubelet config.yaml.