Add protectKernelDefaults option (default true) to kubelet config file (#6611)

roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2

@@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }}
 healthzBindAddress: {{ kubelet_healthz_bind_address }}
 kubeletCgroups: {{ kubelet_kubelet_cgroups }}
 clusterDomain: {{ dns_domain }}
+{% if kubelet_protect_kernel_defaults|bool %}
+protectKernelDefaults: true
+{% endif %}
 {% if kubelet_rotate_certificates|bool %}
 rotateCertificates: true
 {% endif %}

roles/kubernetes/preinstall/tasks/0080-system-configurations.yml

@@ -61,3 +61,16 @@
     value: 1
     state: present
     reload: yes
+
+- name: Ensure kube-bench parameters are set
+  sysctl:
+    sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: yes
+  with_items:
+    - { name: vm.overcommit_memory, value: 1 }
+    - { name: kernel.panic, value: 10 }
+    - { name: kernel.panic_on_oops, value: 1 }
+  when: kubelet_protect_kernel_defaults|bool

roles/kubespray-defaults/defaults/main.yaml

@@ -397,6 +397,9 @@ kubelet_rotate_certificates: true
 # kubelet can also request a new server certificate from the Kubernetes API
 kubelet_rotate_server_certificates: false
 
+# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults
+kubelet_protect_kernel_defaults: true
+
 ## List of key=value pairs that describe feature gates for
 ## the k8s cluster.
 kube_feature_gates: []