A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet. References: https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10 https://github.com/kubernetes/kubernetes/issues/118690
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 2215556]
FEDORA-2023-c7f63322b5 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:6156 https://access.redhat.com/errata/RHSA-2023:6156