A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability.
On OCP 3.11 create a custom SCC based on 'restricted' and also drop the NET_RAW capability[1]. Assign this custom SCC to any users, or groups which create pods you want to protect. See the documentation for more information [2].
[1] <https://access.redhat.com/solutions/5611521>
[2] <https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html>