diff --git a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go index e803ebf751c..d72e18324c5 100644 --- a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go +++ b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go @@ -35,6 +35,7 @@ func SafeSysctlWhitelist() []string { "net.ipv4.ip_local_port_range", "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range", + "net.ipv4.ip_unprivileged_port_start", } } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go index f65a2ad49a0..da1479373eb 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go @@ -50,6 +50,7 @@ var ( "net.ipv4.ip_local_port_range", "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range", + "net.ipv4.ip_unprivileged_port_start", ) ) diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go index 3590023941a..a348224e56d 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go @@ -40,13 +40,15 @@ func init() { // security context with no sysctls tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }), // sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range" - // "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range" + // "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range", + // "net.ipv4.ip_unprivileged_port_start" tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{ {Name: "kernel.shm_rmid_forced", Value: "0"}, {Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"}, {Name: "net.ipv4.tcp_syncookies", Value: "0"}, {Name: "net.ipv4.ping_group_range", Value: "1 0"}, + {Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"}, } }), } diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml index ee4a499ff5f..13adc0c3651 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml @@ -19,3 +19,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml index 220289ae3be..fb041f3fc59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml @@ -20,3 +20,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml index 1a364429f4a..dbb7d262e07 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml @@ -24,3 +24,5 @@ spec: value: "0" - name: net.ipv4.ping_group_range value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024"