[HN Gopher] Container escape flaw fixed in CRI-O runtime engine
       ___________________________________________________________________
        
       Container escape flaw fixed in CRI-O runtime engine
        
       Author : whiteyford
       Score  : 81 points
       Date   : 2022-03-18 13:23 UTC (9 hours ago)
        
 (HTM) web link (duo.com)
 (TXT) w3m dump (duo.com)
        
       | e44858 wrote:
       | Would Podman rootless prevent such exploits? You could run each
       | pod under a separate user that has no access to important files.
        
       | raesene9 wrote:
       | The original write-up is linked from this post
       | https://www.crowdstrike.com/blog/cr8escape-new-vulnerability... -
       | Good, lots of details on exact reproduction.
       | 
       | One idea for mitigation before you can get a patch out for this
       | would be to use admission control (e.g. OPA/Kyverno) to block
       | setting custom sysctls altogether or blocking the characters used
       | in the attack. There's some notes on that
       | https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability and
       | Kyverno have a mention of the finer grained policy
       | https://twitter.com/kyverno/status/1504499323324678145
       | 
       | One thing that's worth noting is that to exploit this the
       | attacker needs create pod rights (or rights to create a workload
       | type that then creates pods), so it's probably not critical for
       | every cluster.
        
         | dilyevsky wrote:
         | Security policies api still not removed so as a one-off you can
         | disable sysctls that way
         | https://kubernetes.io/docs/concepts/policy/pod-security-poli...
        
       | throwra620 wrote:
        
       ___________________________________________________________________
       (page generated 2022-03-18 23:01 UTC)