Recently a severe CVE in the CRI-O container engine come to public. The flaw in CRI-O allows bad actors to gain root access and run arbitrary code in the host machine.

A fix for the issue is already available and you should update your cluster to avoid any headache in the future. But if you cannot do that right away, use Kubewarden to mitigate the impact of this issue. It’s possible to prevent pods with sysctl configuration to run in the cluster with the policy sysctl-psp available in the Policy Hub.

The policy configuration to block all sysctl-related configuration for a pod is detailed below:

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: mitigate-crio-cve
spec:
  module: registry://ghcr.io/kubewarden/policies/sysctl-psp:v0.1.7
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: false
  settings:
    forbiddenSysctls:
    - "*"

This will not allow pods that have kernel parameters defined to run. It’s important to remember that this is not a fix for the issue, but a temporary mitigation. You must update your CRI-O version as soon as possible.

You can test the solution using the pod definition from this Sysdig blogpost:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-set
spec:
  securityContext:
   sysctls:
   - name: kernel.shm_rmid_forced
     value: "1+kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #"
  containers:
  - name: alpine
    image: alpine:latest

Once thesysctl-psp policy is running, you will not be able to deploy the pod.