cri-o: pod with access to 'hostIPC' and 'hostNetwork' kernel namespace allows sysctl from the list of safe sysctls to be applied to the host

An incorrect sysctls validation vulnerability was found in CRI-O. The sysctls from the list of "safe" sysctls specified for the cluster 0 will be applied to the host if an attacker can create a pod with a hostIPC and hostNetwork kernel namespace...

CRI-O 安全漏洞

cri-o is a lightweight container runtime environment for the Kubernetes system. CRI-O suffers from a security vulnerability that can be exploited by an attacker to be able to create a pod with the hostIPC and hostNetwork kernel namespaces...