New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?

Containers aren’t that new fancy thing anymore, but they were a big deal. And they still are. They are a concrete solution to the following problem: - Hey, your software doesn’t work… - Sorry, it works on my computer! Can’t help you. Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries.

Containers aren’t that new fancy thing anymore, but they were a big deal. And they still are. They are a concrete solution to the following problem: - Hey, your software doesn’t work… - Sorry, it works on my computer! Can’t help you. Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries.

Kubernetes v1.25 introduced support for user namespaces for only stateless pods. Kubernetes 1.28 lifted that restriction, after some design changes were done in 1.27. The beauty of this feature is that: it is trivial to adopt (you just need to set a bool in the pod spec) doesn't need any changes for most applications improves security by drastically enhancing the isolation of containers and mitigating CVEs rated HIGH and CRITICAL. This post explains the basics of user namespaces and also shows: