github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #103326 from pacoxu/safe-sysctls

Browse Source 
Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl
This commit is contained in:
Kubernetes Prow Robot 2021-07-01 09:49:55 -07:00 committed by GitHub
commit b0af328e6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
View File

@ -35,6 +35,7 @@ func SafeSysctlWhitelist() []string {
"net.ipv4.ip_local_port_range", "net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies", "net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range", "net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
} }
} }

1
staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
View File

@ -50,6 +50,7 @@ var (
"net.ipv4.ip_local_port_range", "net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies", "net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range", "net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
) )
) )

4
staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
View File

@ -40,13 +40,15 @@ func init() {
// security context with no sysctls // security context with no sysctls
tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }), tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }),
// sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range" // sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range"
// "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range" // "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range",
// "net.ipv4.ip_unprivileged_port_start"
tweak(p, func(p *corev1.Pod) { tweak(p, func(p *corev1.Pod) {
p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{ p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{
{Name: "kernel.shm_rmid_forced", Value: "0"}, {Name: "kernel.shm_rmid_forced", Value: "0"},
{Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"}, {Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"},
{Name: "net.ipv4.tcp_syncookies", Value: "0"}, {Name: "net.ipv4.tcp_syncookies", Value: "0"},
{Name: "net.ipv4.ping_group_range", Value: "1 0"}, {Name: "net.ipv4.ping_group_range", Value: "1 0"},
{Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"},
} }
}), }),
} }

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml vendored
View File

@ -19,3 +19,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml vendored
View File

@ -20,3 +20,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

2
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml vendored
View File

@ -24,3 +24,5 @@ spec:
value: "0" value: "0"
- name: net.ipv4.ping_group_range - name: net.ipv4.ping_group_range
value: 1 0 value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"