The containerd community disclosed the GHSA-36xw-fx78-c5r4 vulnerability. The Common Vulnerabilities and Exposures (CVE) identifier of the vulnerability is CVE-2020-15257. If a container shares the same networking namespace with the host and the UID of the container is 0, attackers can use the containerd-shim API to control containerd-shim processes in the host and launch attacks with elevated privileges. This topic describes the impacts, causes, and preventive measures of the vulnerability.
kubectl get pods -A -o json | jq -c '.items | select(.spec.hostNetwork==true) |[.metadata.namespace, .metadata.name]'
- As a runtime of Kubernetes clusters, containerd manages underlying runC containers. containerd includes a daemon and exposes gRPC service interfaces through on-premises UNIX sockets. This way, containerd can manage container lifecycle.
- containerd-shim is a component of containerd. It is used to isolate the daemon of containerd and container processes. You can call runC interfaces through containerd-shim to manage your containers.
- Enable the Pod Security Policy (PSP) feature. You can set the hostNetwork parameter in a PSP to prevent pods in a specified namespace from using host networking. ACK allows you to configure PSPs in the ACK console. For more information, see Use a PSP.
- Install the gatekeeper component. For more information about the component, see Introduction. For more information about how to install the component, see Example of open policy agent.
hostNetwork: true #Your containers must use host networking due to business requirements. containers: - name: foo securityContext: runAsUser: 12345 allowPrivilegeEscalation: false