CVE-2022-3262: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in OpenShift, identified as CVE-2022-3262, where pods with a DNSPolicy of 'ClusterFirst' may incorrectly resolve hostnames based on service provided. This DNS resolution flaw affects the default configuration of OpenShift pods (Red Hat Bugzilla).

The vulnerability stems from how DNS queries are expanded using the Pod's /etc/resolv.conf file, which is set by Kubelet for each Pod. When a pod has the default DNSPolicy of 'ClusterFirst' or 'ClusterFirstWithHostNet' for host network pods, search paths like '.svc.cluster.local svc.cluster.local cluster.local' are created. If a user creates a namespace 'com' with a service 'google', DNS queries for 'google.com' would first try 'google.com..svc.cluster.local' and then 'google.com.svc.cluster.local', potentially resolving to the service address from the 'com' namespace (Red Hat Bugzilla).

The vulnerability could allow internal users to manipulate DNS resolution within the cluster. For example, if a malicious user creates a namespace with a TLD name (like 'com') and appropriate service names, they could potentially intercept and redirect DNS queries intended for external domains to their own pods (Red Hat Bugzilla).

Users should review and modify their DNS configuration to prevent expanded search paths. Administrators should consider changing the default configuration to not include expanded search and ensure that ClusterFirst is not set by default. Additionally, implementing restrictions on TLD names for namespaces and services in OpenShift can help prevent this vulnerability (Red Hat Bugzilla).