A security issue was discovered in kubelet before version 1.22.2 where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
A security issue was discovered in kubelet before version 1.22.2 where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
https://github.com/kubernetes/kubernetes/issues/104980
Workaround ========== To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature. You can also use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation.