Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster

In Linux, the sysctl interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the '/proc/sys/' virtual process file system. Sysctls are grouped into safe and unsafe sysctl. In addition to proper namespacing, a safe sysctl must be properly isolated between pods on the same node. This means setting a safe sysctl for one pod. So the sysctls.name arguments must not have 'kernel.*'

Suggest Edits

Risk Level: high
Cloud Entity: Kubernetes
Spectral Rule ID: K8S298

REMEDIATION

set sysctls.name not to have 'kernel.*'

spec:
securityContext:
sysctls:
- name: kernel.some_subsystem

References:

https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Updated about 1 year ago