[RFE] disable user namespace flag

[TheKangaroo]

Current situation

With CVE-2022-1966 we see another vulnerability which can be mitigated by disabling user namespaces at all, e.g. with the
kernel.unprivileged_userns_clone=0 flag implemented in some linux distributions.
As long as kubernetes/enhancements#127 is still open it would be great to disable user namespaces on kubernetes worker completely to reduce attack surface.

Impact

Reduce attack surface on systems where user namespaces are not in use.

Ideal future situation

We could disable user namespaces like in other distributions.

Implementation options

Additional information

[jepio]

The unprivileged_userns_clone sysctl is an out-of-tree kernel patch. Are you suggesting that Flatcar carry that patch?

[jepio]

The upstream supported way of achieving this is:

# echo 0 > /proc/sys/user/max_user_namespaces

This is stronger than unprivileged_userns_clone because it disables the feature altogether.

[TheKangaroo]

Oh I wasn't aware of user.max_user_namespaces, I think this will do the job for me.
Just to make sure I understand correctly:
unprivileged_userns_clone = 0 prevents non root users to spawn new (unprivileged) user namespaces
and
max_user_namespaces = 0 disables user namespaces altogether,
right?

[jepio]

That is correct.

[TheKangaroo]

Perfect, thank you for pointing this out.

I'll close the issue.