Exploit for Code Injection in Kubernetes Cri-O CVE-2022-0811

## https://sploitus.com/exploit?id=E6AD5FBA-52AD-5619-9A8A-BAA4FAF35BEB
# webhook-cve-2022-0811

This is a really simple webhook that just blocks pod creation if malicious
sysctl values are configured.

## Build

```bash
go test
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build
```

## Build image an deploy in Minikube

Start minikube:

```bash
minikube start
minikube addons enable registry
```

Build:

```bash
podman build -t localhost:5000/webhook-cve-2022-0811:latest .
podman push --tls-verify=false "$(minikube ip):5000/webhook-cve-2022-0811:latest"
```

Deploy:

```bash
cd kustomize/
kustomize build | kubectl apply -f -
```

## Test

Create the following pod:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-set
  namespace: default
spec:
  securityContext:
   sysctls:
   - name: kernel.shm_rmid_forced
     value: "1+kernel.core_pattern"
  containers:
  - name: test
    image: k8s.gcr.io/pause:3.2
```