Deployment的podTemplate设置内核参数踩坑 kubernetes

背景 【Deployment的podTemplate设置内核参数踩坑】业务开发需要修改pod的内核参数，这些参数被认为是 unsafe 的参数，需要修改kubelet 的 --allowed-unsafe-sysctls 中才可以用，同时要把pod指定调度到这些kubelet被修改过的节点。
在忘记设置节点亲和性或者nodeSelector的情况下，直接修改deployment，会造成什么样的问题。下面通过实验复现一遍。
实验自 k8s 1.12 起，sysctls 特性 beta 并默认开启，允许用户在 pod 的 securityContext 中设置内核参数

apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: securityContext: sysctls: - name: net.core.somaxconn value: "1024" containers: - name: nginx image: nginx

创建deplyemnt后，过五分钟后查看，集群创建了上千个pod

$ kubectl get pods NAMEREADYSTATUSRESTARTSAGE nginx-7fbbcfcc7d-4gmrg0/1SysctlForbidden021s nginx-7fbbcfcc7d-6dfpm0/1SysctlForbidden017s nginx-7fbbcfcc7d-6jkdn0/1SysctlForbidden014s nginx-7fbbcfcc7d-6mf6z0/1SysctlForbidden016s nginx-7fbbcfcc7d-6p2hs0/1SysctlForbidden021s nginx-7fbbcfcc7d-cd7590/1SysctlForbidden012s nginx-7fbbcfcc7d-ckqbl0/1SysctlForbidden016s nginx-7fbbcfcc7d-gtvq40/1SysctlForbidden016s nginx-7fbbcfcc7d-jbv2p0/1SysctlForbidden018s nginx-7fbbcfcc7d-jdh840/1SysctlForbidden018s nginx-7fbbcfcc7d-kmd9p0/1SysctlForbidden020s nginx-7fbbcfcc7d-lcp6k0/1SysctlForbidden015s nginx-7fbbcfcc7d-lsdlx0/1SysctlForbidden015s nginx-7fbbcfcc7d-mbd740/1SysctlForbidden019s nginx-7fbbcfcc7d-mbjnf0/1SysctlForbidden018s nginx-7fbbcfcc7d-mmbj70/1SysctlForbidden021s nginx-7fbbcfcc7d-n2ndn0/1SysctlForbidden021s nginx-7fbbcfcc7d-rhjmp0/1SysctlForbidden014s nginx-7fbbcfcc7d-rznhl0/1SysctlForbidden013s nginx-7fbbcfcc7d-sfrl90/1SysctlForbidden021s nginx-7fbbcfcc7d-t9bkk0/1SysctlForbidden019s nginx-7fbbcfcc7d-vd6x80/1SysctlForbidden017s nginx-7fbbcfcc7d-vt2jh0/1SysctlForbidden021s nginx-7fbbcfcc7d-w4l7n0/1SysctlForbidden020s nginx-7fbbcfcc7d-w5sgq0/1SysctlForbidden014s nginx-7fbbcfcc7d-wlf2c0/1SysctlForbidden013s nginx-7fbbcfcc7d-xh22t0/1SysctlForbidden021s

处理方法