Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster
In Linux, the sysctl
interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the '/proc/sys/' virtual process file system. Sysctls are grouped into safe and unsafe sysctl
. In addition to proper namespacing, a safe sysctl
must be properly isolated between pods on the same node. This means setting a safe sysctl
for one pod. So the sysctls.name
arguments must not have 'kernel.*'
Risk Level: high
Cloud Entity: Kubernetes
Spectral Rule ID: K8S298
REMEDIATION
set sysctls.name
not to have 'kernel.*'
spec:
securityContext:
sysctls:
- name: kernel.some_subsystem
References:
Pod Security Policies
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
Updated over 1 year ago