Wide open kubernetes clusters, oh no, are we seeing mongodb again ? Crikey, who are the nietsnuts these companies are employing to administer their clusters ????
Swiping CPU cycles from Kubernetes container clusters to mine crypto-coins is the latest rage among cybercrooks. So says Swiss security intelligence house BinaryEdge, which reckons it has spotted multiple instances of vulnerable clusters being taken over and then used to run scripts that mine cryptocurrencies for the attackers …
Sunday 9th December 2018 18:32 GMT Anonymous Coward
It really should not come as a surprise.
Standing up this stuff is hard, the sort of thing that previously you would have implemented with some initial hand-holding by a trusted vendor or implementation partner until you had the in-house skills to run with it yourself. But because it's open source and free, there is not a vendor out there looking after it's reputation, just a crowd of code contributors with good intentions and no desire to sit hand-holding a bunch of newbies while they figure the hard stuff out.
Even less is there any inclination to dig into problems you may be facing in version X if your problem smells even remotely like an issue resolved in X+1 (or X + 0.01) then far from getting any help you'll be sneered at for not being on the right version and told to get yourself onto the latest, less field-tested version quick-smart. Hopefully it will solve your problem and fingers-crossed it doesn't open you up to an even bigger problem as yet lying undiscovered by anyone else.
If you're lucky, there will be some altruistic vendor who has identified the opportunity to monetise this situation by offering commercial support for this 'free' technology. Often founded by people close to the origin of the earliest version of the tech. The founders will show up at the pitches to give slick presentations about the tech and demonstrate their deep understanding. The warm bodies they send in to actually help you though, will be an army of newbies given some training (mostly in how to cover-up their lack of expertise) and labelled as consultants, to justify their confidence-inspiring hourly rates. Of course, you'll need to keep those invoices properly segregated and kept well away from the business case used to justify the wholesale adoption of the 'free' stuff, at least until you have become thoroughly and properly dependent upon that commercial vendor, to make them 'sticky' enough to survive the uncovering of the true cost of 'free'.
Of course, you could not use those commercial support arrangements, in which case you won't realise the cost of 'free' until you sit down and work out how much time you spent trying to get this stuff to work that you would have saved if you had just stuck to what you knew worked, knew how to get working and was supported by your enterprise partners when you got stuck. But you can come up with some separate time codes to keep that time (and therefore cost) similarly hidden. Call it "Capability Uplift" or something similar.
Best to keep quiet about the specific version you are using too. Just keep talking about the benefits of open-source and how issues are patched more quickly by the open source community. Whatever you do, do not talk about the fact that your specific circumstances mean that you can't actually keep up with those patches and newer versions because of the breaking changes that the inconsiderate open source community insist on introducing in the name of "progress" and that taking the latest version is actually more risky than sticking with better understood and known versions, complete with their unpatched vulnerabilities.
The great thing of course is that you will never have to justify to anyone why you are running on an unsupported version because technically none of the versions are supported!
This is not a problem confined to k8s.