From 844a22fbd11edb57e7856c1c529e9e92d03da872 Mon Sep 17 00:00:00 2001
From: Mao-hsiang Lien <mao-hsiang.lien@flaconi.de>
Date: Thu, 27 Jan 2022 08:34:54 +0100
Subject: [PATCH] OPS-4836 Fix vulnerability CVE-2022-0185

---
 templates/instance-groups.yml.j2 | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/templates/instance-groups.yml.j2 b/templates/instance-groups.yml.j2
index 00efbd4..cf908c4 100644
--- a/templates/instance-groups.yml.j2
+++ b/templates/instance-groups.yml.j2
@@ -49,6 +49,14 @@ metadata:
   name: {{ worker.name }}
 spec:
   image: {{ cluster.image | default(kops_default_image) }}
+  additionalUserData:
+  - name: sysctl.sh
+    type: text/x-shellscript
+    content: |
+      #!/bin/sh
+      sysctl -w kernel.unprivileged_userns_clone=0
+      echo "kernel.unprivileged_userns_clone=0" >> \
+        /etc/sysctl.conf
   machineType: {{ machine_type }}
   maxSize: {{ max_size }}
   minSize: {{ min_size }}
@@ -101,6 +109,14 @@ metadata:
   name: master-{{ subnet.az }}
 spec:
   image: {{ cluster.image | default(kops_default_image) }}
+  additionalUserData:
+  - name: sysctl.sh
+    type: text/x-shellscript
+    content: |
+      #!/bin/sh
+      sysctl -w kernel.unprivileged_userns_clone=0
+      echo "kernel.unprivileged_userns_clone=0" >> \
+        /etc/sysctl.conf
   machineType: {% if 'master' in cluster and 'instance_type' in cluster.master %}{{ cluster.master.instance_type }}{% else %}{{ kops_default_master_instance_type }}{% endif %}
 
   maxSize: 1