https://github.com/kubewarden/sysctl-psp-policy
A Kubewarden policy that controls usage of sysctls
https://github.com/kubewarden/sysctl-psp-policy
hacktoberfest kubernetes kubernetes-security kubewarden-policy pod-security-policy policy-as-code webassembly
Last synced: 1 day ago
JSON representation
A Kubewarden policy that controls usage of sysctls
- Host: GitHub
- URL: https://github.com/kubewarden/sysctl-psp-policy
- Owner: kubewarden
- License: apache-2.0
- Created: 2021-07-30T13:27:06.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2025-06-06T09:38:52.000Z (11 days ago)
- Last Synced: 2025-06-06T10:36:00.792Z (11 days ago)
- Topics: hacktoberfest, kubernetes, kubernetes-security, kubewarden-policy, pod-security-policy, policy-as-code, webassembly
- Language: Go
- Homepage: https://kubewarden.io
- Size: 1.08 MB
- Stars: 2
- Watchers: 5
- Forks: 3
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)
[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
# Kubewarden policy to control sysctls in pods
## Description
Replacement for the Kubernetes Pod Security Policy that controls the usage of
sysctls.
Linux Kernel sysctls are grouped into safe and unsafe sets. A safe sysctl must
be properly isolated between pods on the same node, and are properly namespaced
by the kernel. A (possibly outdated) list can be seen
[here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline).
All safe sysctls are enabled by default in Kubernetes.
All unsafe sysctls are disabled by default and must be explicitly allowed on a
per-node or per-pod basis.
As the deprecated analogous Kubernetes PSP, this policy validates which sysctls
can get set in pods by specifying lists of sysctls or sysctl patterns to be
allowed or forbidden. One can then modify the `securityContext` of Pods to make
use of the Sysctls as permitted by this policy.
## Settings
The following settings are accepted:
* `forbiddenSysctls`: List of plain sysctl names or sysctl patterns (which end
with `*`) to be forbidden. You can forbid a combination of safe and unsafe
sysctls in the list. To forbid setting any sysctls, use `*` on its own.
* `allowedUnsafeSysctls`: List of plain sysctl names that can be used in Pods.
`*` cannot be used. `allowedUnsafeSysctls` has precedence over
`forbiddenSysctls`.
A sysctl cannot be both forbidden and allowed at the same time.
### Example
With this policy deployed and configured as:
``` yaml
forbiddenSysctls:
- net.ipv6.conf.lo.*
allowedUnsafeSysctls:
- net.ipv6.conf.lo.max_addresses
```
A pod specifying the following Sysctls would get permitted, as they are
allowedUnsafe or on the default safe set:
``` yaml
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
spec:
securityContext:
sysctls:
- name: net.ipv6.conf.lo.max_addresses
value: "1024"
- name: kernel.shm_rmid_forced
value: "0"
...
```
Yet the following pod will get rejected, as `net.ipv6.conf.lo.mtu` is forbidden,
even if `kernel.shm_rmid_forced` is part of the default safe set:
``` yaml
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.ipv6.conf.lo.mtu
value: "32768"
...
```