$ kubectl apply -f manifest.yaml pod/client created pod/sysctl-default-pod created pod/sysctl-forbidden-pod created $ kubectl -n istio-vt-t77 wait --for=condition=Ready pod/sysctl-default-pod --timeout=60s pod/sysctl-default-pod condition met $ kubectl -n istio-vt-t77 wait --for=condition=Ready pod/client --timeout=120s pod/client condition met $ kubectl -n istio-vt-t77 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 10s 10.255.126.8 k8s-worker2 sysctl-default-pod 1/1 Running 0 10s 10.255.194.99 k8s-worker1 sysctl-forbidden-pod 0/1 SysctlForbidden 0 10s k8s-worker2 $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- sysctl net.ipv4.tcp_tw_reuse net.ipv4.tcp_tw_reuse = 2 # expect 2 (kernel hardcoded default, netns init does not inherit host) $ kubectl apply -f manifest.yaml pod/client configured pod/sysctl-default-pod unchanged pod/sysctl-forbidden-pod unchanged $ sleep 5 $ kubectl -n istio-vt-t77 get pod sysctl-forbidden-pod -o jsonpath='{.status.phase}{" "}{.status.reason}{" "}' Failed SysctlForbidden $ kubectl -n istio-vt-t77 describe pod sysctl-forbidden-pod | grep -i sysctl Name: sysctl-forbidden-pod Labels: app=sysctl-forbidden-pod Reason: SysctlForbidden Message: Pod was rejected: forbidden sysctl: "net.ipv4.tcp_tw_reuse" not allowlisted Normal Scheduled 66s default-scheduler Successfully assigned istio-vt-t77/sysctl-forbidden-pod to k8s-worker2 Warning SysctlForbidden 67s kubelet forbidden sysctl: "net.ipv4.tcp_tw_reuse" not allowlisted $ NODE=$(kubectl -n istio-vt-t77 get pod sysctl-default-pod -o jsonpath='{.spec.nodeName}'); echo $NODE k8s-worker1 $ echo "NOTE: to make sysctl-forbidden-pod schedulable, add --allowed-unsafe-sysctls=net.ipv4.tcp_tw_reuse to kubelet on node and re-apply sysctl-forbidden-pod.yaml, then re-run the next commands (requires host-level kubelet config change; do NOT do this automatically without approval since it changes shared node config)" NOTE: to make sysctl-forbidden-pod schedulable, add --allowed-unsafe-sysctls=net.ipv4.tcp_tw_reuse to kubelet on node and re-apply sysctl-forbidden-pod.yaml, then re-run the next commands (requires host-level kubelet config change; do NOT do this automatically without approval since it changes shared node config) # checking whether literal-substitution target echo.istio-vt-t77.svc.homelab.local exists (no echo Service defined in this test's own manifest) No resources found in istio-vt-t77 namespace. # no 'echo' Service in istio-vt-t77 -> literal ISTIO_VT_NS substitution target is unreachable (DNS NXDOMAIN expected). Falling back to the harness-permitted shared service echo.istio-verify.svc.homelab.local (harness-notes.md explicitly allows calling this shared svc); this only affects the TIME_WAIT-generation step, not C1/C9 which are already confirmed above. $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- ss -tan state time-wait | wc -l 1 $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- sh -c 'for i in $(seq 1 60); do (exec 3<>/dev/tcp/echo.istio-verify.svc.homelab.local/80 2>/dev/null; exec 3<&-) 2>/dev/null; done' command terminated with exit code 1 $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- ss -tan state time-wait Recv-Q Send-Q Local Address:Port Peer Address:Port $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- ss -tan state time-wait | wc -l 1 # 'sh' in nicolaka/netshoot is busybox ash which lacks /dev/tcp support -> loop silently failed (exit 1). Re-running with bash (present in image) instead of sh, same /dev/tcp technique, target = shared echo.istio-verify service (see note above). $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- bash -c 'for i in $(seq 1 60); do (exec 3<>/dev/tcp/echo.istio-verify.svc.homelab.local/80 2>/dev/null; exec 3<&-) 2>/dev/null; done; echo LOOP_DONE' LOOP_DONE $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- ss -tan state time-wait | wc -l 62 $ kubectl -n istio-vt-t77 exec sysctl-default-pod -- ss -tan state time-wait | head -20 Recv-Q Send-Q Local Address:Port Peer Address:Port 0 0 10.255.194.99:33778 10.250.152.233:80 0 0 10.255.194.99:33538 10.250.152.233:80 0 0 10.255.194.99:33600 10.250.152.233:80 0 0 10.255.194.99:34198 10.250.152.233:80 0 0 10.255.194.99:33650 10.250.152.233:80 0 0 10.255.194.99:33436 10.250.152.233:80 0 0 10.255.194.99:33636 10.250.152.233:80 0 0 10.255.194.99:33652 10.250.152.233:80 0 0 10.255.194.99:33866 10.250.152.233:80 0 0 10.255.194.99:33850 10.250.152.233:80 0 0 10.255.194.99:33728 10.250.152.233:80 0 0 10.255.194.99:33876 10.250.152.233:80 0 0 10.255.194.99:33818 10.250.152.233:80 0 0 10.255.194.99:33430 10.250.152.233:80 0 0 10.255.194.99:33692 10.250.152.233:80 0 0 10.255.194.99:33622 10.250.152.233:80 0 0 10.255.194.99:33902 10.250.152.233:80 0 0 10.255.194.99:33736 10.250.152.233:80 0 0 10.255.194.99:33862 10.250.152.233:80