Hallo zusammen,
sofern nicht selber schon gesehen/-lesen hier [0] FYI
"OOMyPod: Nothin’ To CRI-O-bout"
--> "... Three issues in CRI-O (the default Kubernetes’ container engine for Red Hat’s OpenShift and openSUSE’s Kubic), combined with an overzealous out-of-memory (OOM) killer in recent Linux kernels, can enable a partial container escape for hosts running CRI-O and Kubernetes ... There’s no need to panic, though. It’s good to note that there isn’t a generic complete container escape or node takeover path using these bugs"
--> Patch? "Yes, as of CRI-O version 1.16.1"
VG
Bernd
[0] https://capsule8.com/blog/oomypod-nothin-to-cri-o-bout/
rwth-security@lists.rwth-aachen.de