This KB is intended to provide guidance about mitigation security controls and workarounds for CVE-2021-30465.

The CVE-2021-30465 vulnerability enables users to run a container that can perform pod escape to get read-write access on top of the underlying node’s filesystem. The impact of the risks are significant enough to compromise other sensitive data that are stored on the node’s filesystem. More information can be found in this Github security advisory.

By default, TKGI enables AppArmor in “enforcement mode”. The container runtime and pod rulesets will enforce mandatory access control such that even if the pod escape happens, only the accessible resources for the user would be allowed by the AppArmor profile

The following workaround will reduce the risk and limit the attack surface by enforcing limited exposure to node resources such as filesystems. 

We recommend that users configure PSP policy “pks-restricted” that restricts privileged access to pod containers. The policy “pks-restricted” has the property allowPrivilegeEscalation disabled and forces containers to run as non-root users.