kyverno/samples/DisallowSysctls.md

# Disallow changes to kernel parameters

The Sysctl interface allows modifications to kernel parameters at runtime. In a Kubernetes, pod these parameters can be specified under `securityContext.sysctls`. Kernel parameter modifications can be used for exploits and should be restricted.

## Additional Information

* [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)

## Policy YAML

[disallow_sysctls.yaml](best_practices/disallow_sysctls.yaml)

````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-sysctls
spec:
  validationFailureAction: audit
  rules:
  - name: validate-sysctls
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Changes to kernel parameters are not allowed"
      pattern:
        spec:
          securityContext:
            X(sysctls): null
````
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00			`# Disallow changes to kernel parameters`

manifest fixes; typos; linting (#1240) 2020-11-11 15:55:02 -05:00			The Sysctl interface allows modifications to kernel parameters at runtime. In a Kubernetes, pod these parameters can be specified under `securityContext.sysctls`. Kernel parameter modifications can be used for exploits and should be restricted.
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00
			`## Additional Information`

manifest fixes; typos; linting (#1240) 2020-11-11 15:55:02 -05:00			`* [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)`
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00
			`## Policy YAML`

fix tests 2019-11-11 18:51:21 -08:00			`[disallow_sysctls.yaml](best_practices/disallow_sysctls.yaml)`
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00
			````yaml
update api in samples/ 2019-11-13 13:56:20 -08:00			`apiVersion: kyverno.io/v1`
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00			`kind: ClusterPolicy`
			`metadata:`
			`name: disallow-sysctls`
			`spec:`
add validateFailureAction to all policies (#1068) 2020-08-19 14:04:58 -07:00			`validationFailureAction: audit`
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00			`rules:`
			`- name: validate-sysctls`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
correct misspelled words 2020-11-17 12:01:01 -08:00			`message: "Changes to kernel parameters are not allowed"`
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00			`pattern:`
			`spec:`
			`securityContext:`
			`X(sysctls): null`
			````