github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl

Browse Source 
Signed-off-by: pacoxu <paco.xu@daocloud.io>
This commit is contained in:
pacoxu 2021-06-30 11:55:05 +08:00
parent c206af0367
commit 2cab85a403
49 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
View File

@ -35,6 +35,7 @@ func SafeSysctlWhitelist() []string {
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
}
}

1
staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
View File

@ -50,6 +50,7 @@ var (
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
)
)

4
staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
View File

@ -40,13 +40,15 @@ func init() {
// security context with no sysctls
tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }),
// sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range"
// "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range"
// "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range",
// "net.ipv4.ip_unprivileged_port_start"
tweak(p, func(p *corev1.Pod) {
p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{
{Name: "kernel.shm_rmid_forced", Value: "0"},
{Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"},
{Name: "net.ipv4.tcp_syncookies", Value: "0"},
{Name: "net.ipv4.ping_group_range", Value: "1 0"},
{Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"},
}
}),
}

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"