Help Center/
Ubiquitous Cloud Native Service/
User Guide/
Policy Center/
Policy Definition Library/
k8spspforbiddensysctls
Updated on 2024-02-01 GMT+08:00
k8spspforbiddensysctls
Basic Information
Function
This policy specifies the names that are not allowed in the sysctls field in PodSecurityPolicy.
Policy Example
The following policy instance shows the resource types for which the policy definition takes effect. forbiddenSysctls in parameters defines the names that are not allowed in sysctls.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- kernel.*
Resource Definition That Complies with the Policy
In the example, the name of sysctls complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
labels:
app: nginx-forbidden-sysctls
spec:
containers:
- name: nginx
image: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
Resource Definition That Does Not Comply with the Policy
In the example, the name (kernel.msgmax) of sysctls does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
labels:
app: nginx-forbidden-sysctls
spec:
containers:
- name: nginx
image: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
Parent topic: Policy Definition Library
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
