Cluster Allows Unsafe Sysctls
- Query id: 9127f0d9-2310-42e7-866f-5fd9d20dcbad
- Query name: Cluster Allows Unsafe Sysctls
- Platform: Kubernetes
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.core.somaxconn
value: "1024"
- name: kernel.msgmax
value: "65536"
containers:
- name: test1
image: nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: sysctl-psp
spec:
allowedUnsafeSysctls:
- kernel.msg*
forbiddenSysctls:
- kernel.shm_rmid_forced
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-app
labels:
app: test-app
spec:
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
securityContext:
sysctls:
- name: kernel.sem
value: "128 32768 128 4096"
containers:
- name: test-ubuntu
image: ubuntu
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.ipv4.ip_local_port_range
value: "0"
containers:
- name: test1
image: nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: sysctl-psp
spec:
forbiddenSysctls:
- kernel.shm_rmid_forced
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-app-neg
labels:
app: test-app-neg
spec:
selector:
matchLabels:
app: test-app-neg
template:
metadata:
labels:
app: test-app-neg
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net/ipv4/tcp_syncookies
value: "1"
containers:
- name: test-ubuntu
image: ubuntu