Enforce Trusted Sysctls 1.1.4

Enforces disabled sysctls except for an allowed "safe" subset.


Note that this policy is part of the following security standards:

  • k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A16, SYS.1.6.A21
  • Host Access
  • Security
  • bsi/containerization
  • k8s/baseline
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
-   - name: net.core.somaxconn
-     value: "1024"
-   - name: kernel.msgmax
-     value: "65536"
+   - name: net.ipv4.ip_local_port_range
+     value: "32768 61000"
+   - name: kernel.shm_rmid_forced
+     value: "0"
+   - name: net.ipv4.tcp_syncookies
+     value: "1"
+   - name: net.ipv4.ping_group_range
+     value: "10001 10001"

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforcetrustedsysctls as on the example below.
apiVersion: v1
kind: Pod
metadata:
  name: your-pod
  annotations:
    securitytower.io/policy.exclusion.enforcetrustedsysctls: |-
      This pod requires sysctls.
...