/
restrict-sysctls.yaml
39 lines (39 loc) · 1.66 KB
/
restrict-sysctls.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-sysctls
annotations:
policies.kyverno.io/title: Restrict sysctls
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kubernetes-version: "1.22-1.23"
policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-sysctls/"
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A
sysctl is considered safe if it is namespaced in the container or the
Pod, and it is isolated from other Pods or processes on the same Node.
This policy ensures that only those "safe" subsets can be specified in
a Pod. The field spec.securityContext.sysctls must be unset or not use any other names
than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
net.ipv4.ping_group_range.
spec:
validationFailureAction: Audit
background: true
rules:
- name: check-sysctls
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Setting additional sysctls beyond the allowed type is disallowed.
pattern:
spec:
=(securityContext):
=(sysctls):
- =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"