All Policies
Prevent cr8escape (CVE-2022-0811)
A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value.
Policy Definition
/other/prevent-cr8escape/prevent-cr8escape.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: prevent-cr8escape
5 annotations:
6 policies.kyverno.io/title: Prevent cr8escape (CVE-2022-0811)
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: high
9 kyverno.io/kyverno-version: 1.6.0
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/subject: Pod
13 policies.kyverno.io/description: >-
14 A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine
15 underpinning Kubernetes allows attackers to escape from a Kubernetes container
16 and gain root access to the host. The recommended remediation is to disallow
17 sysctl settings with + or = in their value.
18spec:
19 validationFailureAction: enforce
20 background: true
21 rules:
22 - name: restrict-sysctls-cr8escape
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 validate:
29 message: "characters '+' or '=' are not allowed in sysctls values"
30 pattern:
31 spec:
32 =(securityContext):
33 =(sysctls):
34 - =(value): "!*+* & !*=*"