sysctl related PodSecurityPolicy spec since 1.12 (#3743)

roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2

@@ -43,6 +43,10 @@ spec:
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  forbiddenSysctls:
+  - '*'
+{% endif %}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -75,3 +79,8 @@ spec:
   fsGroup:
     rule: 'RunAsAny'
   readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+  - '*'
+{% endif %}