All Policies
Restrict sysctls
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. This policy ensures that only those "safe" subsets can be specified in a Pod.
Policy Definition
/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-sysctls
5 annotations:
6 policies.kyverno.io/title: Restrict sysctls
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 Sysctls can disable security mechanisms or affect all containers on a
14 host, and should be disallowed except for an allowed "safe" subset. A
15 sysctl is considered safe if it is namespaced in the container or the
16 Pod, and it is isolated from other Pods or processes on the same Node.
17 This policy ensures that only those "safe" subsets can be specified in
18 a Pod.
19spec:
20 validationFailureAction: Audit
21 background: true
22 rules:
23 - name: check-sysctls
24 match:
25 any:
26 - resources:
27 kinds:
28 - Pod
29 validate:
30 message: >-
31 Setting additional sysctls above the allowed type is disallowed.
32 The field spec.securityContext.sysctls must be unset or not use any other names
33 than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
34 net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
35 net.ipv4.ping_group_range.
36 pattern:
37 spec:
38 =(securityContext):
39 =(sysctls):
40 - =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"