All Policies

Restrict sysctls in CEL expressions

Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. This policy ensures that only those "safe" subsets can be specified in a Pod.

Policy Definition

/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-sysctls
 5  annotations:
 6    policies.kyverno.io/title: Restrict sysctls in CEL expressions
 7    policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kyverno-version: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      Sysctls can disable security mechanisms or affect all containers on a
15      host, and should be disallowed except for an allowed "safe" subset. A
16      sysctl is considered safe if it is namespaced in the container or the
17      Pod, and it is isolated from other Pods or processes on the same Node.
18      This policy ensures that only those "safe" subsets can be specified in
19      a Pod.
20spec:
21  validationFailureAction: Audit
22  background: true
23  rules:
24    - name: check-sysctls
25      match:
26        any:
27        - resources:
28            kinds:
29              - Pod
30            operations:
31            - CREATE
32            - UPDATE
33      validate:
34        cel:
35          variables:
36            - name: allowedSysctls
37              expression: "['kernel.shm_rmid_forced','net.ipv4.ip_local_port_range','net.ipv4.ip_unprivileged_port_start','net.ipv4.tcp_syncookies','net.ipv4.ping_group_range']"
38          expressions:
39            - expression: >- 
40                object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, sysctl == '' ||
41                has(sysctl.name) && sysctl.name in variables.allowedSysctls)
42              message: >-
43                Setting additional sysctls above the allowed type is disallowed.
44                The field spec.securityContext.sysctls must be unset or not use any other names
45                than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
46                net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
47                net.ipv4.ping_group_range.
Create policy issue