diff --git a/charts/test-krish-globalps/Chart.yaml b/charts/test-krish-globalps/Chart.yaml index cea7dd04..29c6a533 100644 --- a/charts/test-krish-globalps/Chart.yaml +++ b/charts/test-krish-globalps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: test-krish description: Pod Security Standards (baseline) policy set type: application -version: 0.5.20 +version: 0.5.21 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/test-krish-globalps/pols/restrict-sysctls.yaml b/charts/test-krish-globalps/pols/restrict-sysctls.yaml deleted file mode 100644 index 247cab07..00000000 --- a/charts/test-krish-globalps/pols/restrict-sysctls.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-sysctls - annotations: - policies.kyverno.io/title: Restrict sysctls - policies.kyverno.io/category: Pod Security Standards (Baseline) - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-sysctls/" - policies.kyverno.io/description: >- - Sysctls can disable security mechanisms or affect all containers on a - host, and should be disallowed except for an allowed "safe" subset. A - sysctl is considered safe if it is namespaced in the container or the - Pod, and it is isolated from other Pods or processes on the same Node. - This policy ensures that only those "safe" subsets can be specified in - a Pod. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-sysctls - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - Setting additional sysctls above the allowed type is disallowed. - pattern: - spec: - =(securityContext): - =(sysctls): - - =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"