All Policies
Restrict Sysctls
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. This policy ensures that only those "safe" subsets can be specified in a Pod.
Policy Definition
/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-sysctls
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Sysctls can disable security mechanisms or affect all containers on a
11 host, and should be disallowed except for an allowed "safe" subset. A
12 sysctl is considered safe if it is namespaced in the container or the
13 Pod, and it is isolated from other Pods or processes on the same Node.
14 This policy ensures that only those "safe" subsets can be specified in
15 a Pod.
16spec:
17 validationFailureAction: audit
18 background: true
19 rules:
20 - name: sysctls
21 match:
22 resources:
23 kinds:
24 - Pod
25 validate:
26 message: >-
27 Setting additional sysctls above the allowed type is disallowed.
28 The field spec.securityContext.sysctls must not use any other names
29 than 'kernel.shm_rmid_forced', 'net.ipv4.ip_local_port_range',
30 'net.ipv4.tcp_syncookies' and 'net.ipv4.ping_group_range'.
31 pattern:
32 spec:
33 =(securityContext):
34 =(sysctls):
35 - name: "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"
36 value: "?*"
37