Enhanced:Simplify the Cel Expression of restrict sysctls

Signed-off-by: Lavish pal <lavish@debian.0.2.15> Signed-off-by: Lavish pal <lvishpal408@gmail.com>
kyverno · Aug 2, 2024 · 8f1746c · 8f1746c
1 parent 4854f24
commit 8f1746c
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
@@ -36,12 +36,16 @@ spec:
             - expression: >- 
                 !has(object.spec.securityContext) ||
                 !has(object.spec.securityContext.sysctls) ||
-                object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) ||
-                sysctl.name == 'kernel.shm_rmid_forced' ||
-                sysctl.name == 'net.ipv4.ip_local_port_range' ||
-                sysctl.name == 'net.ipv4.ip_unprivileged_port_start' ||
-                sysctl.name == 'net.ipv4.tcp_syncookies' ||
-                sysctl.name == 'net.ipv4.ping_group_range')
+                object.spec.securityContext.sysctls.all(sysctl, 
+                  !has(sysctl.name) ||
+                  [
+                  'kernel.shm_rmid_forced',
+                  'net.ipv4.ip_local_port_range',
+                  'net.ipv4.ip_unprivileged_port_start',
+                  'net.ipv4.tcp_syncookies',
+                  'net.ipv4.ping_group_range'
+                  ].exists(allowedName, allowedName == (sysctl.name)
+                    
               message: >-
                 Setting additional sysctls above the allowed type is disallowed.
                 The field spec.securityContext.sysctls must be unset or not use any other names