mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/ConfigureKernelParmeters.md
Jim Bugwadia 9bbcbb29af reorganize samples
2019-10-23 14:45:27 -07:00

1.1 KiB
Raw Blame History

Configure kernel parameters

The Sysctl interface allows to modify kernel parameters at runtime and in the pod can be specified under securityContext.sysctls. If kernel parameters in the pod are to be modified, should be handled cautiously, and policy with rules restricting these options will be helpful. We can control minimum and maximum port that a network connection can use as its source(local) port by checking net.ipv4.ip_local_port_range

Policy YAML

policy_validate_sysctl_configs.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-allow-portrange-with-sysctl
spec:
  rules:
  - name: allow-portrange-with-sysctl
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Allowed port range is from 1024 to 65535"
      pattern:
        spec:
          securityContext:
            sysctls: 
            - name: net.ipv4.ip_local_port_range
              value: "1024 65535"

Additional Information