Cluster allows unsafe sysctls

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Cluster allows unsafe sysctls

Metadata

Id: 9127f0d9-2310-42e7-866f-5fd9d20dcbad

Cloud Provider: k8s

Framework: Kubernetes

Severity: High

Category: Insecure Configurations

Learn More

Provider Reference

Description

A Kubernetes cluster must not allow unsafe sysctls to prevent a Pod from influencing other Pods, harming node health, or gaining CPU or memory outside resource limits. spec.securityContext.sysctls must not specify unsafe sysctls, and allowedUnsafeSysctls must be undefined.

Compliant Code Examples

#this code is a correct code for which the query should not find any result
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.ipv4.ip_local_port_range
      value: "0"
  containers:
    - name: test1
      image: nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  forbiddenSysctls:
  - kernel.shm_rmid_forced
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app-neg
  labels:
    app: test-app-neg
spec:
  selector:
    matchLabels:
      app: test-app-neg
  template:
    metadata:
      labels:
        app: test-app-neg
    spec:
      securityContext:
        sysctls:
        - name: kernel.shm_rmid_forced
          value: "0"
        - name: net/ipv4/tcp_syncookies
          value: "1"
      containers:
      - name: test-ubuntu
        image: ubuntu

Non-Compliant Code Examples

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app
  labels:
    app: test-app
spec:
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      securityContext:
        sysctls:
        - name: kernel.sem
          value: "128 32768 128 4096"
      containers:
      - name: test-ubuntu
        image: ubuntu

#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.core.somaxconn
      value: "1024"
    - name: kernel.msgmax
      value: "65536"
  containers:
    - name: test1
      image: nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  allowedUnsafeSysctls:
  - kernel.msg*
  forbiddenSysctls:
  - kernel.shm_rmid_forced
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny