It was found that volume security can be sidestepped with innocent emptyDir and subpath. A pod could give full control over node host by gaining access to docker socket.
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1554420]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.3 Red Hat OpenShift Container Platform 3.4 Red Hat OpenShift Container Platform 3.5 Red Hat OpenShift Container Platform 3.6 Red Hat OpenShift Container Platform 3.7 Via RHSA-2018:0475 https://access.redhat.com/errata/RHSA-2018:0475
This flaw allows a pod to mount any part of the host filesystem. The pod will run with the security contraints placed on the user but could read anything with o=rx mode and appropriate SELinux label.
External References: https://github.com/kubernetes/kubernetes/issues/60813
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1554569]
Statement: This flaw allows a pod to mount any part of the host filesystem. The pod will run with the security contraints placed on the user but could read anything with o=rx mode and appropriate SELinux label.
Kubernetes has been deprecated from Red Hat Enterprise Linux Extras channel. See https://access.redhat.com/errata/RHSA-2018:1072 for details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-1002101