/webhook-cve-2022-0811

Simple webhook to block exploitation of CVE-2022-0811

Primary LanguageGo

webhook-cve-2022-0811

This is a really simple webhook that just blocks pod creation if malicious sysctl values are configured.

Build

go test
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build

Build image an deploy in Minikube

Start minikube:

minikube start
minikube addons enable registry

Build:

podman build -t localhost:5000/webhook-cve-2022-0811:latest .
podman push --tls-verify=false "$(minikube ip):5000/webhook-cve-2022-0811:latest"

Deploy:

cd kustomize/
kustomize build | kubectl apply -f -

Test

Create the following pod:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-set
  namespace: default
spec:
  securityContext:
   sysctls:
   - name: kernel.shm_rmid_forced
     value: "1+kernel.core_pattern"
  containers:
  - name: test
    image: k8s.gcr.io/pause:3.2