From fb850d5124a90b80fbc89f45b58390728f3e6c42 Mon Sep 17 00:00:00 2001
From: Lavish pal <lvishpal408@gmail.com>
Date: Fri, 2 Aug 2024 12:21:36 +0530
Subject: [PATCH 1/2] Upgrade the digest value.

Signed-off-by: Lavish pal <lvishpal408@gmail.com>
---
 .../restrict-sysctls/restrict-sysctls.yaml       | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
index d564df539..87ba02cbe 100644
--- a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
@@ -36,12 +36,16 @@ spec:
             - expression: >- 
                 !has(object.spec.securityContext) ||
                 !has(object.spec.securityContext.sysctls) ||
-                object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) ||
-                sysctl.name == 'kernel.shm_rmid_forced' ||
-                sysctl.name == 'net.ipv4.ip_local_port_range' ||
-                sysctl.name == 'net.ipv4.ip_unprivileged_port_start' ||
-                sysctl.name == 'net.ipv4.tcp_syncookies' ||
-                sysctl.name == 'net.ipv4.ping_group_range')
+                object.spec.securityContext.sysctls.all(sysctl, 
+                  !has(sysctl.name) ||
+                  [
+                  'kernel.shm_rmid_forced',
+                  'net.ipv4.ip_local_port_range',
+                  'net.ipv4.ip_unprivileged_port_start',
+                  'net.ipv4.tcp_syncookies',
+                  'net.ipv4.ping_group_range'
+                  ].exists(allowedName, allowedName == (sysctl.name)
+                    
               message: >-
                 Setting additional sysctls above the allowed type is disallowed.
                 The field spec.securityContext.sysctls must be unset or not use any other names

From 2f0c4c5f4971b66187c6eb89e069d5c6c2afc388 Mon Sep 17 00:00:00 2001
From: Lavish pal <lvishpal408@gmail.com>
Date: Fri, 2 Aug 2024 18:27:51 +0530
Subject: [PATCH 2/2] Update the Artifact hub

Signed-off-by: Lavish pal <lvishpal408@gmail.com>
---
 pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
index 737e81be9..dce9a2d57 100644
--- a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 97f75f8cdd2e3ee9f9696cdceccc34cf0df5edbca0e3bbab76572494a26ce6e8
+digest: c9b480f97695316999bec53d4d9ee9b79d726eeb3038b941f64590bf98cb2486
 createdAt: "2023-12-03T00:22:33Z"