{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: {{ $name }}
  annotations:
    policies.kyverno.io/category: Pod Security Standards (Default)
    {{- if .Values.podSecuritySeverity }}
    policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
    {{- end }}
    policies.kyverno.io/description: >-
      Sysctls can disable security mechanisms or affect all containers on a
      host, and should be disallowed except for an allowed "safe" subset. A
      sysctl is considered safe if it is namespaced in the container or the
      Pod, and it is isolated from other Pods or processes on the same Node.
  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
    app: kyverno
spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: sysctls
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: >-
        Setting additional sysctls above the allowed type is disallowed.
        The field spec.securityContext.sysctls must not use any other names
        than 'kernel.shm_rmid_forced', 'net.ipv4.ip_local_port_range',
        'net.ipv4.tcp_syncookies' and 'net.ipv4.ping_group_range'.
      pattern:
        spec:
          =(securityContext):
            =(sysctls):
            - name: "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"
              value: "?*"
{{- end -}}