From 8f1746c8c766659cbf5559ad1b9afa1f14139e44 Mon Sep 17 00:00:00 2001
From: Lavish pal <lavish@debian.0.2.15>
Date: Fri, 2 Aug 2024 12:06:24 +0530
Subject: [PATCH] Enhanced:Simplify the Cel Expression of restrict sysctls

Signed-off-by: Lavish pal <lavish@debian.0.2.15>
Signed-off-by: Lavish pal <lvishpal408@gmail.com>
---
 .../restrict-sysctls/restrict-sysctls.yaml       | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
index d564df539..87ba02cbe 100644
--- a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
@@ -36,12 +36,16 @@ spec:
             - expression: >- 
                 !has(object.spec.securityContext) ||
                 !has(object.spec.securityContext.sysctls) ||
-                object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) ||
-                sysctl.name == 'kernel.shm_rmid_forced' ||
-                sysctl.name == 'net.ipv4.ip_local_port_range' ||
-                sysctl.name == 'net.ipv4.ip_unprivileged_port_start' ||
-                sysctl.name == 'net.ipv4.tcp_syncookies' ||
-                sysctl.name == 'net.ipv4.ping_group_range')
+                object.spec.securityContext.sysctls.all(sysctl, 
+                  !has(sysctl.name) ||
+                  [
+                  'kernel.shm_rmid_forced',
+                  'net.ipv4.ip_local_port_range',
+                  'net.ipv4.ip_unprivileged_port_start',
+                  'net.ipv4.tcp_syncookies',
+                  'net.ipv4.ping_group_range'
+                  ].exists(allowedName, allowedName == (sysctl.name)
+                    
               message: >-
                 Setting additional sysctls above the allowed type is disallowed.
                 The field spec.securityContext.sysctls must be unset or not use any other names