CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or =

CVE-2022-0811: A flaw was found in CRI-O (version 1.19+) in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.

Risk Level: Critical
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.AC.24
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod should not have spec.securityContext.sysctls contain-any [ value like '%+%' or value like '%=%' ]

REMEDIATION

At the Kubernetes level:
Set this Admission Control rule to block.
At the CRI-O level:
Upgrade to a patched version of CRI-O.
Set pinns_path in crio.conf to point to a pinns wrapper that strips the '-s' option before invoking the real pinns. This will prevent pods from updating any kernel parameters, including sensitive ones.
Pinns, typically found at /usr/bin/pinns, is the utility CRI-O uses to set kernel parameters.
Downgrade to CRI-O version 1.18 or earlier (Not recommended in most cases)

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Container Admission Control
  • Container Admission Control 1.0