During an upgrade of an existing OpenShift Container Platform 3.x cluster which is using CRI-O the dockergc service account is assigned to the current namespace of user performing the upgrade. This would allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
Upstream fix for OKD 3.11:
If an upgrade was run with the openshift_crio_enable_docker_gc ansible variable set to 'False' the cluster won't be affected. The default for the variable was set to 'True' before openshift-ansible-3.11.0-0.28.0, and after 3.10.x. See https://github.com/openshift/openshift-ansible/commit/bf5fbea4138f27313c5e4dcd683821975db8e443
Make sure your kubeconfig (~/.kube/config) is using the 'default' context when executing, or re-executing a cluster upgrade or install using the ansible playbooks.
This vulnerable code no longer exists in the 4.x branches, see:
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2019:2818 https://access.redhat.com/errata/RHSA-2019:2818
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):