Going through Kubernetes pod security standards, it seems it'd be desirable to audit sysctls.
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
Restricted Fields
- spec.securityContext.sysctls[*].name
AllowedValues
- Undefined/nil
- kernel.shm_rmid_forced
- net.ipv4.ip_local_port_range
- net.ipv4.ip_unprivileged_port_start
- net.ipv4.tcp_syncookies
- net.ipv4.ping_group_range
ISSUE TYPE
[ ] Bug Report
[x] Feature Idea
FEATURE IDEA
[ ] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1
Proposal:
1This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.
Going through Kubernetes pod security standards, it seems it'd be desirable to audit sysctls.
ISSUE TYPE
FEATURE IDEA
Proposal:
1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.