diff --git a/examples/best_practices/policy_validate_disallow_sysctl.yaml b/examples/best_practices/policy_validate_disallow_sysctl.yaml
new file mode 100644
index 0000000000..0e0dfb7cb9
--- /dev/null
+++ b/examples/best_practices/policy_validate_disallow_sysctl.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-allow-portrange-with-sysctl
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: allow-portrange-with-sysctl
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Allowed port range is from 1024 to 65535"
+      pattern:
+        spec:
+          securityContext:
+            sysctls: 
+            - name: net.ipv4.ip_local_port_range
+              value: "1024 65535"
diff --git a/examples/best_practices/resources/resource_disallow_sysctl.yaml b/examples/best_practices/resources/resource_disallow_sysctl.yaml
new file mode 100644
index 0000000000..15e5464038
--- /dev/null
+++ b/examples/best_practices/resources/resource_disallow_sysctl.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    ports:
+    - containerPort: 80
+  securityContext:
+    sysctls:
+    - name: net.ipv4.ip_local_port_range
+      value: "50 65535"
\ No newline at end of file
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 62874cc970..07dde46266 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -127,3 +127,7 @@ func Test_validate_proc_mount(t *testing.T) {
 func Test_validate_container_capabilities(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml")
 }
+
+func Test_validate_disallow_sysctl(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_sysctl.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_disallow_sysctl.yaml b/test/scenarios/test/scenario_validate_disallow_sysctl.yaml
new file mode 100644
index 0000000000..8b22077e7a
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_disallow_sysctl.yaml
@@ -0,0 +1,19 @@
+
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_disallow_sysctl.yaml
+  resource: examples/best_practices/resources/resource_disallow_sysctl.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-allow-portrange-with-sysctl
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: nginx
+      rules:
+        - name: allow-portrange-with-sysctl
+          type: Validation
+          message: "Validation rule 'allow-portrange-with-sysctl' failed at '/spec/securityContext/sysctls/0/value/' for resource Pod//nginx. Allowed port range is from 1024 to 65535"
+          success: false
\ No newline at end of file