Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster

In Linux, the sysctl interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the '/proc/sys/' virtual process file system. Sysctls are grouped into safe and unsafe sysctl. In addition to proper namespacing, a safe sysctl must be properly isolated between pods on the same node. This means setting a safe sysctl for one pod. So the sysctls.name arguments must not have 'kernel.*'

Risk Level: high
Cloud Entity: Kubernetes
Spectral Rule ID: K8S298


set sysctls.name not to have 'kernel.*'

- name: kernel.some_subsystem


Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.