Last modified February 26, 2020

Kernel settings

We adjust some kernel settings of machines used as Kubernetes nodes to non-standard values. Here is a complete reference.

General Performance and Security settings

kernel.kptr_restrict2Hide kernel pointers to mitigate the kernels attack surface
kernel.sysrq0Reduce the kernel’s attack surface
net.ipv4.conf.all.arp_ignore1Harden SSH security
net.ipv4.conf.all.arp_announce2Harden SSH security
net.ipv4.conf.all.log_martians1Log all martians packets coming to existing network interfaces
net.ipv4.conf.all.rp_filter1Harden SSH security
net.ipv4.conf.all.send_redirects0Do not send redirects for IPv4
net.ipv4.conf.default.accept_redirects0Do not accept redirects for IPv4
net.ipv4.conf.default.log_martians1Log all martians packets coming to freshly added network interfaces
net.ipv4.tcp_timestamps0Do not add timestamps to use less CPU cycles
net.ipv6.conf.all.accept_redirects0Do not send redirects for IPv6
net.ipv6.conf.default.accept_redirects0Do not accept redirects for IPv6

Kubernetes specific tuning

net.ipv4.ip_local_reserved_ports30000 - 32767Reserving for Node Ports allocations to avoid conflicts with kube-apiserver

Docker specific tuning

fs.inotify.max_user_watches16384Increase the max number of opened file watches to avoid docker lock
fs.inotify.max_user_instances8192Increase the max number of file descriptors to avoid docker lock

Workload specific tuning

net.core.somaxconn32768Ingress controller performance improvements
net.ipv4.ip_local_port_range1024 - 65535Ingress controller performance improvements
vm.max_map_count262144Increased max_map_count because some applications, like Elasticsearch, need higher limit to start properly