A privilege escalate flaw exists in the openshift-node component of OpenShift Container Platform. An attacker able to trick a user into running a malicious container can read, or delete files in the container owned by root.
After discussing it with the engineering team and within prodsec we decided that this shouldn't be a vulnerability. setuid is needed for some features including 'ping' from within a pod. Also there is already an SCC option to disable it in OpenShift and Kubernetes:
On Red Hat Enterprise Linux 7 or 8, when running a container with podman, or docker it's possible to add the security-opt 'no-new-privileges' to prevent this vulnerability.
On OpenShift Container Platform 3.11, 4.1 and 4.1 it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working, such as 'ping'. https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
We can setup ping to work without requiring any additional privs by modifying crio to automatically allow non priv user to create icmp packets.