Modifying Kernel Parameters Using a Privileged Container

Prerequisites

To access a Kubernetes cluster from a client, you can use the Kubernetes command line tool kubectl.

Procedure

  1. Create a DaemonSet on the backend, select the Nginx image, enable the privileged container, configure the lifecycle, and specify hostNetwork: true.

    1. Create a DaemonSet file.

      vi daemonset.yaml

      An example YAML file is provided as follows:

      Important

      The spec.spec.containers.lifecycle field indicates the command that will be run after the container is started.

      kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: daemonset-test
  labels:
    name: daemonset-test
spec:
  selector:
    matchLabels:
      name: daemonset-test
  template:
    metadata:
      labels:
        name: daemonset-test
    spec:
      hostNetwork: true
      containers:
      - name: daemonset-test
        image: nginx:alpine-perl
        command:
        - "/bin/sh"
        args:
        - "-c"
        - while :; do  time=$(date);done
        imagePullPolicy: IfNotPresent
        lifecycle:
          postStart:
            exec:
              command:
              - sysctl
              - "-w"
              - net.ipv4.tcp_tw_reuse=1
        securityContext:
          privileged: true
      imagePullSecrets:
      - name: default-secret

    2. Create the DaemonSet.

      kubectl create -f daemonSet.yaml

  2. Check whether the DaemonSet has been created.

    kubectl get daemonset {daemonset_name}

    In this example, run the following command:

    kubectl get daemonset daemonset-test

    Information similar to the following is displayed:

    NAME               DESIRED    CURRENT   READY    UP-T0-DATE    AVAILABLE     NODE SELECTOR   AGE
daemonset-test     2          2         2        2             2             <node>          2h

  3. Obtain the IDs of the DaemonSet pods on the nodes.

    kubectl get pod | grep {daemonset_name}

    In this example, run the following command:

    kubectl get pod | grep daemonset-test

    Information similar to the following is displayed:

    daemonset-test-mqdpv               1/1     Running             0          2h
daemonset-test-n56vm               1/1     Running             0          2h

  4. Access the container.

    kubectl exec -it {pod_name} -- /bin/sh

    In this example, run the following command:

    kubectl exec -it daemonset-test-mqdpv -- /bin/sh

  5. Check whether the configured command is executed after the container is started.

    sysctl -a |grep net.ipv4.tcp_tw_reuse

    If the following information is displayed, the system parameters are modified successfully:

    net.ipv4.tcp_tw_reuse=1
last updated: 2025-09-01 12:39 UTC - commit: 1c785602b89a7118f513ae1ddb0640bfaca72849