The kubelet sets up a file called etc-hosts for each pod, which is mounted in the containers as /etc/hosts. The file isn't counted against memory limits (as a tmpfs file would be) or ephemeral storage usage limits. The container can fill up the node disk on the node which it was scheduled.
Mitigation: On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work. [1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Upstream patch: https://github.com/kubernetes/kubernetes/pull/92916
Upstream issue: https://github.com/kubernetes/kubernetes/issues/93032
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Kebe Liu (DaoCloud)
External References: https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1857459]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3520 https://access.redhat.com/errata/RHSA-2020:3520
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8557
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:3579 https://access.redhat.com/errata/RHSA-2020:3579
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:3580 https://access.redhat.com/errata/RHSA-2020:3580
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3809 https://access.redhat.com/errata/RHSA-2020:3809
Statement: In OpenShift Container Platform (OCP) there is LocalStorageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled LocalStorageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability. [1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:3915 https://access.redhat.com/errata/RHSA-2021:3915