Restrict Sysctls

Description

Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed “safe” subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.

Restricted Fields

  • spec.securityContext.sysctls[*].name

Allowed Values

  • Undefined/nil
  • kernel.shm_rmid_forced
  • net.ipv4.ip_local_port_range
  • net.ipv4.ip_unprivileged_port_start
  • net.ipv4.tcp_syncookies
  • net.ipv4.ping_group_range

Risks

Improper configuration of sysctls can pose security risks. Only an allowed “safe” subset of sysctls should be permitted, ensuring they are namespaced in the container or the Pod and isolated from other Pods or processes on the same Node.

  • Device Parameters: Modifications can affect device behavior. For example, altering kernel parameters related to device drivers might introduce vulnerabilities and other performance issues.

  • Network Parameters: For instance, tweaking parameters related to TCP/IP stack might expose the system to attacks or reduce its ability to handle network traffic efficiently. .

  • File System: Sysctls affecting file system behavior can lead to data corruption or security breaches.

  • NFS (Network File System): Changes to sysctls related to NFS could impact the reliability and security of file sharing across networked systems. Misconfigurations may result in data loss or unauthorized access to shared resources.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-sysctls.yaml

References

Configuration Settings

Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and net.ipv4.ping_group_range.

=(securityContext):
  =(sysctls):
    - =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"

Resource Example

Below is a Deployment resource example where securityContext.sysctls is set to net.ipv4.tcp_syncookies for all containers. This value is from the subset of “safe” system controls.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment05
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        sysctls:
        - name: net.ipv4.tcp_syncookies
          value: "0"