Risk Level: Critical
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.AC.24
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod should not have spec.securityContext.sysctls contain-any [ value like '%+%' or value like '%=%' ]

REMEDIATION

At the Kubernetes level:
Set this Admission Control rule to block.
At the CRI-O level:
Upgrade to a patched version of CRI-O.
Set pinns_path in crio.conf to point to a pinns wrapper that strips the '-s' option before invoking the real pinns. This will prevent pods from updating any kernel parameters, including sensitive ones.
Pinns, typically found at /usr/bin/pinns, is the utility CRI-O uses to set kernel parameters.
Downgrade to CRI-O version 1.18 or earlier (Not recommended in most cases)

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes. A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

Container Admission Control
Container Admission Control 1.0