CRI-O CVE-2022-0811 Mitigation
Recently a severe CVE in the CRI-O container engine come to public. The flaw in CRI-O allows bad actors to gain root access and run arbitrary code in the host machine.
A fix for the issue is
already available and you should update your cluster to avoid any headache in
the future. But if you cannot do that right away, use Kubewarden to mitigate the impact of
this issue. It’s possible to prevent pods with
to run in the cluster with the policy
sysctl-psp available in the Policy
The policy configuration to block all sysctl-related configuration for a pod is detailed below:
apiVersion: policies.kubewarden.io/v1alpha2 kind: ClusterAdmissionPolicy metadata: name: mitigate-crio-cve spec: module: registry://ghcr.io/kubewarden/policies/sysctl-psp:v0.1.7 rules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: - CREATE - UPDATE mutating: false settings: forbiddenSysctls: - "*"
This will not allow pods that have kernel parameters defined to run. It’s important to remember that this is not a fix for the issue, but a temporary mitigation. You must update your CRI-O version as soon as possible.
You can test the solution using the pod definition from this Sysdig blogpost:
apiVersion: v1 kind: Pod metadata: name: sysctl-set spec: securityContext: sysctls: - name: kernel.shm_rmid_forced value: "1+kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #" containers: - name: alpine image: alpine:latest
sysctl-psp policy is running, you will not be able to deploy the pod.