open-policy-agent · ritazh · Jan 15, 2025 · Jul 6, 2024 · Sep 11, 2024 · Dec 14, 2024
@@ -0,0 +1,36 @@
+# Forbidden Sysctls security context policy
+
+The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`.
+
+## Parameters
+
+`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
+
+`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
+
+## Examples
+
+```yaml
+parameters:
+  allowedSysctls: ['*']
+  forbiddenSysctls:
+    - kernel.msg*
+    - net.core.somaxconn
+```
+
+```yaml
+parameters:
+  allowedSysctls:
+    - kernel.shm_rmid_forced
+    - net.ipv4.ip_local_port_range
+    - net.ipv4.tcp_syncookies
+    - net.ipv4.ping_group_range
+  forbiddenSysctls: []
+```
+
+*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided.
+
+## References
+
+* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core)
@@ -0,0 +1,22 @@
+version: 1.2.0
+name: k8spspforbiddensysctls
+displayName: Forbidden Sysctls
+createdAt: "2024-07-05T17:47:31Z"
+description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+digest: f17aa53b0129445cc5899d534c3c3904f8843c517cc401a13b5f07aaa6e0cca8
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Forbidden Sysctls
+    Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    allowedSysctls:
+    - "*" # allows all sysctls. allowedSysctls is optional.
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    - "*" # * forbid all sysctls
+    allowedSysctls:
+    - "*" # allows all sysctls. allowedSysctls is optional.
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    allowedSysctls:
+    - "net.*"
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    # unspecified allowedSysctls will not place any restrictions
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-forbidden-sysctls-allowed
+  labels:
+    app: nginx-forbidden-sysctls
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+  securityContext:
+    sysctls:
+      - name: net.core.somaxconn
+        value: "1024"
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-forbidden-sysctls-disallowed
+  labels:
+    app: nginx-forbidden-sysctls
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+  securityContext:
+    sysctls:
+      - name: kernel.msgmax
+        value: "65536"
+      - name: net.core.somaxconn
+        value: "1024"
@@ -0,0 +1,21 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx-forbidden-sysctls-disallowed
+      labels:
+        app: nginx-forbidden-sysctls
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+      securityContext:
+        sysctls:
+          - name: kernel.msgmax
+            value: "65536"
+          - name: net.core.somaxconn
+            value: "1024"
@@ -0,0 +1,85 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: forbidden-sysctls
+tests:
+  - name: forbidden-sysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
+  - name: forbidden-sysctls-wildcard
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint2.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
+  - name: forbidden-sysctls3
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint3.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
+  - name: forbidden-sysctls4-empty-allowedSysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint4.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
+  - name: forbidden-sysctls5-unspecified-allowedSysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint5.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no