Update restrict-sysctls
Based on restrict-sysctls.
Da ist net.ipv4.ip_unprivileged_port_start dazu gekommen. Und wieder mal failurePolicy: Fail und ein bisschen Wording.
helm template hat bei mir das ergeben:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-sysctls
annotations:
policies.kyverno.io/title: Restrict sysctls
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A
sysctl is considered safe if it is namespaced in the container or the
Pod, and it is isolated from other Pods or processes on the same Node.
This policy ensures that only those "safe" subsets can be specified in
a Pod.
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-policies
app.kubernetes.io/part-of: kyverno-policies
app.kubernetes.io/version: "3.2.6"
helm.sh/chart: kyverno-policies-3.2.6
spec:
validationFailureAction: Audit
background: true
failurePolicy: Fail
rules:
- name: check-sysctls
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Setting additional sysctls above the allowed type is disallowed.
The field spec.securityContext.sysctls must be unset or not use any other names
than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
net.ipv4.ping_group_range.
pattern:
spec:
=(securityContext):
=(sysctls):
- =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"