From 9ac982be5a0c9dee6948f0da89b970c44a664272 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Wed, 11 Sep 2024 13:58:26 -0700 Subject: [PATCH] add tests and update messageExpression Signed-off-by: Rita Zhang --- .../1.2.0/artifacthub-pkg.yml | 2 +- .../psp-forbidden-sysctls/constraint3.yaml | 2 +- .../psp-forbidden-sysctls/constraint4.yaml | 14 ++ .../psp-forbidden-sysctls/constraint5.yaml | 14 ++ .../forbidden-sysctls/1.2.0/suite.yaml | 36 +++- .../forbidden-sysctls/1.2.0/template.yaml | 13 +- .../psp-forbidden-sysctls/constraint3.yaml | 2 +- .../psp-forbidden-sysctls/constraint4.yaml | 14 ++ .../psp-forbidden-sysctls/constraint5.yaml | 14 ++ .../forbidden-sysctls/suite.yaml | 36 +++- .../forbidden-sysctls/template.yaml | 13 +- .../forbidden-sysctls/src.cel | 13 +- website/docs/validation/forbidden-sysctls.md | 203 +++++++++++++++++- 13 files changed, 346 insertions(+), 30 deletions(-) create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml create mode 100644 library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml create mode 100644 library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml index aae5e46c3..70229c760 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspforbiddensysctls displayName: Forbidden Sysctls createdAt: "2024-07-05T17:47:31Z" description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ -digest: c34167b32bcd5b55b48a68614ad4b20cd26294d17be559738f01735ab719f621 +digest: 6e64cb0e325f6894b153216cc2f1b30f2ea4de6d62dced4f7b59209207394ce3 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls keywords: diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml index 24f0d3905..87c4e405a 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml @@ -12,4 +12,4 @@ spec: # - "*" # * may be used to forbid all sysctls - kernel.* allowedSysctls: - - "net.*" # allows all sysctls. allowedSysctls is optional. + - "net.*" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml new file mode 100644 index 000000000..2a9c0dcb5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml new file mode 100644 index 000000000..13e8677d8 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + # unspecified allowedSysctls will not place any restrictions diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml index fe394ddd8..7ed8a1d02 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml @@ -19,7 +19,7 @@ tests: object: samples/psp-forbidden-sysctls/update.yaml assertions: - violations: no - - name: forbidden-sysctls2 + - name: forbidden-sysctls-wildcard template: template.yaml constraint: samples/psp-forbidden-sysctls/constraint2.yaml cases: @@ -27,7 +27,7 @@ tests: object: samples/psp-forbidden-sysctls/example_disallowed.yaml assertions: - violations: yes - - name: example-allowed + - name: example-disallowed object: samples/psp-forbidden-sysctls/example_allowed.yaml assertions: - violations: yes @@ -51,3 +51,35 @@ tests: object: samples/psp-forbidden-sysctls/update.yaml assertions: - violations: no + - name: forbidden-sysctls4-empty-allowedSysctls + template: template.yaml + constraint: samples/psp-forbidden-sysctls/constraint4.yaml + cases: + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_disallowed.yaml + assertions: + - violations: yes + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_allowed.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no + - name: forbidden-sysctls5-unspecified-allowedSysctls + template: template.yaml + constraint: samples/psp-forbidden-sysctls/constraint5.yaml + cases: + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-forbidden-sysctls/example_allowed.yaml + assertions: + - violations: no + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml index db4ea623a..6c9ea66bd 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml @@ -43,6 +43,8 @@ spec: - engine: K8sNativeValidation source: variables: + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" - name: sysctls expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls' - name: allowedSysctlPrefixes @@ -59,19 +61,20 @@ spec: expression: | !has(variables.params.forbiddenSysctls) ? [] : variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*")) - - name: allAllowed - expression: '!has(variables.params.allowedSysctls) ? true : false' + - name: allowedSysctlsString + expression: | + !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ") - name: violatingSysctls expression: | (variables.sysctls.filter(sysctl, (sysctl.name in variables.forbiddenSysctlExplicit || variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) || - (!variables.allAllowed && + (has(variables.params.allowedSysctls) && !(sysctl.name in variables.allowedSysctlExplicit) && !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp))))) validations: - - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0' - messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")' + - expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0' + messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString' - engine: Rego source: rego: | diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint3.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint3.yaml index 24f0d3905..87c4e405a 100644 --- a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint3.yaml +++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint3.yaml @@ -12,4 +12,4 @@ spec: # - "*" # * may be used to forbid all sysctls - kernel.* allowedSysctls: - - "net.*" # allows all sysctls. allowedSysctls is optional. + - "net.*" diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml new file mode 100644 index 000000000..2a9c0dcb5 --- /dev/null +++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml new file mode 100644 index 000000000..13e8677d8 --- /dev/null +++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + # unspecified allowedSysctls will not place any restrictions diff --git a/library/pod-security-policy/forbidden-sysctls/suite.yaml b/library/pod-security-policy/forbidden-sysctls/suite.yaml index fe394ddd8..7ed8a1d02 100644 --- a/library/pod-security-policy/forbidden-sysctls/suite.yaml +++ b/library/pod-security-policy/forbidden-sysctls/suite.yaml @@ -19,7 +19,7 @@ tests: object: samples/psp-forbidden-sysctls/update.yaml assertions: - violations: no - - name: forbidden-sysctls2 + - name: forbidden-sysctls-wildcard template: template.yaml constraint: samples/psp-forbidden-sysctls/constraint2.yaml cases: @@ -27,7 +27,7 @@ tests: object: samples/psp-forbidden-sysctls/example_disallowed.yaml assertions: - violations: yes - - name: example-allowed + - name: example-disallowed object: samples/psp-forbidden-sysctls/example_allowed.yaml assertions: - violations: yes @@ -51,3 +51,35 @@ tests: object: samples/psp-forbidden-sysctls/update.yaml assertions: - violations: no + - name: forbidden-sysctls4-empty-allowedSysctls + template: template.yaml + constraint: samples/psp-forbidden-sysctls/constraint4.yaml + cases: + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_disallowed.yaml + assertions: + - violations: yes + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_allowed.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no + - name: forbidden-sysctls5-unspecified-allowedSysctls + template: template.yaml + constraint: samples/psp-forbidden-sysctls/constraint5.yaml + cases: + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-forbidden-sysctls/example_allowed.yaml + assertions: + - violations: no + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml index db4ea623a..6c9ea66bd 100644 --- a/library/pod-security-policy/forbidden-sysctls/template.yaml +++ b/library/pod-security-policy/forbidden-sysctls/template.yaml @@ -43,6 +43,8 @@ spec: - engine: K8sNativeValidation source: variables: + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" - name: sysctls expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls' - name: allowedSysctlPrefixes @@ -59,19 +61,20 @@ spec: expression: | !has(variables.params.forbiddenSysctls) ? [] : variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*")) - - name: allAllowed - expression: '!has(variables.params.allowedSysctls) ? true : false' + - name: allowedSysctlsString + expression: | + !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ") - name: violatingSysctls expression: | (variables.sysctls.filter(sysctl, (sysctl.name in variables.forbiddenSysctlExplicit || variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) || - (!variables.allAllowed && + (has(variables.params.allowedSysctls) && !(sysctl.name in variables.allowedSysctlExplicit) && !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp))))) validations: - - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0' - messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")' + - expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0' + messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString' - engine: Rego source: rego: | diff --git a/src/pod-security-policy/forbidden-sysctls/src.cel b/src/pod-security-policy/forbidden-sysctls/src.cel index 17f2a52fc..d90e6253a 100644 --- a/src/pod-security-policy/forbidden-sysctls/src.cel +++ b/src/pod-security-policy/forbidden-sysctls/src.cel @@ -1,4 +1,6 @@ variables: +- name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" - name: sysctls expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls' - name: allowedSysctlPrefixes @@ -15,16 +17,17 @@ variables: expression: | !has(variables.params.forbiddenSysctls) ? [] : variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*")) -- name: allAllowed - expression: '!has(variables.params.allowedSysctls) ? true : false' +- name: allowedSysctlsString + expression: | + !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ") - name: violatingSysctls expression: | (variables.sysctls.filter(sysctl, (sysctl.name in variables.forbiddenSysctlExplicit || variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) || - (!variables.allAllowed && + (has(variables.params.allowedSysctls) && !(sysctl.name in variables.allowedSysctlExplicit) && !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp))))) validations: -- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0' - messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")' +- expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0' + messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString' diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 63ef43610..c85ad40d3 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -55,6 +55,8 @@ spec: - engine: K8sNativeValidation source: variables: + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" - name: sysctls expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls' - name: allowedSysctlPrefixes @@ -71,19 +73,20 @@ spec: expression: | !has(variables.params.forbiddenSysctls) ? [] : variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*")) - - name: allAllowed - expression: '!has(variables.params.allowedSysctls) ? true : false' + - name: allowedSysctlsString + expression: | + !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ") - name: violatingSysctls expression: | (variables.sysctls.filter(sysctl, (sysctl.name in variables.forbiddenSysctlExplicit || variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) || - (!variables.allAllowed && + (has(variables.params.allowedSysctls) && !(sysctl.name in variables.allowedSysctlExplicit) && !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp))))) validations: - - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0' - messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")' + - expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0' + messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString' - engine: Rego source: rego: | @@ -247,7 +250,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
-forbidden-sysctls2 +forbidden-sysctls-wildcard
constraint @@ -309,7 +312,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
-example-allowed +example-disallowed ```yaml apiVersion: v1 @@ -359,7 +362,7 @@ spec: # - "*" # * may be used to forbid all sysctls - kernel.* allowedSysctls: - - "net.*" # allows all sysctls. allowedSysctls is optional. + - "net.*" ``` @@ -431,4 +434,188 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
+
+forbidden-sysctls4-empty-allowedSysctls + +
+constraint + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml +``` + +
+ +
+example-disallowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_disallowed.yaml +``` + +
+
+example-disallowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml +``` + +
+ + +
+forbidden-sysctls5-unspecified-allowedSysctls + +
+constraint + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + # unspecified allowedSysctls will not place any restrictions + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml +``` + +
+ +
+example-disallowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_disallowed.yaml +``` + +
+
+example-allowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml +``` + +
+ +
\ No newline at end of file