For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-cluster-allows-unsafe-sysctls.md. A documentation index is available at /llms.txt.

Cluster allows unsafe sysctls

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-cluster-allows-unsafe-sysctls

Platform: Kubernetes

Severity: High

Category: Insecure Configurations

Learn More

Description

A Kubernetes cluster must not allow unsafe sysctls. Allowing unsafe sysctls can let a Pod influence other Pods, harm node stability, or consume CPU or memory beyond resource limits. spec.securityContext.sysctls must not include unsafe sysctls, and allowedUnsafeSysctls must be undefined. This rule detects PodSecurityPolicy resources where allowedUnsafeSysctls is defined and flags any spec.securityContext.sysctls entries that are not in the defined safe list. Only a limited set of sysctls are considered safe; all others are treated as unsafe and should not be used.

Compliant Code Examples

#this code is a correct code for which the query should not find any result
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.ipv4.ip_local_port_range
      value: "0"
  containers:
    - name: test1
      image: nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  forbiddenSysctls:
  - kernel.shm_rmid_forced
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app-neg
  labels:
    app: test-app-neg
spec:
  selector:
    matchLabels:
      app: test-app-neg
  template:
    metadata:
      labels:
        app: test-app-neg
    spec:
      securityContext:
        sysctls:
        - name: kernel.shm_rmid_forced
          value: "0"
        - name: net/ipv4/tcp_syncookies
          value: "1"
      containers:
      - name: test-ubuntu
        image: ubuntu

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.core.somaxconn
      value: "1024"
    - name: kernel.msgmax
      value: "65536"
  containers:
    - name: test1
      image: nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sysctl-psp
spec:
  allowedUnsafeSysctls:
  - kernel.msg*
  forbiddenSysctls:
  - kernel.shm_rmid_forced
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app
  labels:
    app: test-app
spec:
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      securityContext:
        sysctls:
        - name: kernel.sem
          value: "128 32768 128 4096"
      containers:
      - name: test-ubuntu
        image: ubuntu