Skip to content
This repository has been archived by the owner on Feb 23, 2023. It is now read-only.
/ webhook-cve-2022-0811 Public archive

Simple webhook to block exploitation of CVE-2022-0811

8 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

spiarh/webhook-cve-2022-0811

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
kustomize
kustomize
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
Containerfile
Containerfile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 

Repository files navigation

webhook-cve-2022-0811

This is a really simple webhook that just blocks pod creation if malicious sysctl values are configured.

Build

go test
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build

Build image an deploy in Minikube

Start minikube:

minikube start
minikube addons enable registry

Build:

podman build -t localhost:5000/webhook-cve-2022-0811:latest .
podman push --tls-verify=false "$(minikube ip):5000/webhook-cve-2022-0811:latest"

Deploy:

cd kustomize/
kustomize build | kubectl apply -f -

Test

Create the following pod:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-set
  namespace: default
spec:
  securityContext:
   sysctls:
   - name: kernel.shm_rmid_forced
     value: "1+kernel.core_pattern"
  containers:
  - name: test
    image: k8s.gcr.io/pause:3.2

About

Simple webhook to block exploitation of CVE-2022-0811

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages