We are running an AKS cluster behind a firewall. The firewall severs inactive TCP connections after a few minutes, so we’d like to modify the default TCP keepalive configuration. (The default for Linux is to wait 2 hours, which is way too long.) We tried to configure net.ipv4.tcp_keepalive_time, etc. on the nodes, but unfortunately Kubernetes ignores this and our pods continue to use the original Linux defaults.
It seems our only option is to use securityContext.sysctls in every pod spec. Is that correct? Unfortunately, the TCP keepalive sysctls are not considered “safe” so it seems this would require passing
--allowed-unsafe-sysctl to kubelet. Are these particular sysctls actually “unsafe”? If so, why? If not, can they be added to the default allowlist?
Note: I know we can also configure TCP keepalive in the application itself via socket options. Unfortunately, some third-party libraries/applications (e.g., boto3) do not offer any way to set these. Setting the system defaults is the only way, unfortunately.