Updated on 2024-02-01 GMT+08:00

k8spspforbiddensysctls

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter

    allowedSysctls: Array

    forbiddenSysctls: Array

Function

This policy specifies the names that are not allowed in the sysctls field in PodSecurityPolicy.

Policy Example

The following policy instance shows the resource types for which the policy definition takes effect. forbiddenSysctls in parameters defines the names that are not allowed in sysctls.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    forbiddenSysctls:
    # - "*" # * may be used to forbid all sysctls
    - kernel.*

Resource Definition That Complies with the Policy

In the example, the name of sysctls complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-forbidden-sysctls-disallowed
  labels:
    app: nginx-forbidden-sysctls
spec:
  containers:
    - name: nginx
      image: nginx
  securityContext:
    sysctls:
      - name: net.core.somaxconn
        value: "1024"

Resource Definition That Does Not Comply with the Policy

In the example, the name (kernel.msgmax) of sysctls does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-forbidden-sysctls-disallowed
  labels:
    app: nginx-forbidden-sysctls
spec:
  containers:
    - name: nginx
      image: nginx
  securityContext:
    sysctls:
      - name: kernel.msgmax
        value: "65536"
      - name: net.core.somaxconn
        value: "1024"