Restrict Sysctls

Description

Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed “safe” subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.

Restricted Fields

• spec.securityContext.sysctls[*].name

Allowed Values

• Undefined/nil
• kernel.shm_rmid_forced
• net.ipv4.ip_local_port_range
• net.ipv4.ip_unprivileged_port_start
• net.ipv4.tcp_syncookies
• net.ipv4.ping_group_range

Kyverno Policy

Refer to the Nirmata curated policies - restrict-sysctls.yaml

References

Configuration Settings

Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and net.ipv4.ping_group_range.

=(securityContext):
  =(sysctls):
    - =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"

Resource Example

Below is a Deployment resource example where securityContext.sysctls is set to net.ipv4.tcp_syncookies for all containers. This value is from the subset of “safe” system controls.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment05
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        sysctls:
        - name: net.ipv4.tcp_syncookies
          value: "0"