381,000-plus Kubernetes API servers 'exposed to internet' A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse. Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating …
It solves many small things in a consistent manner. Encourages you to containerise your service, apply configuration and manage secrets responsibly.
Encourages resource consumption management and scales accordingly. The large ecosystem allows for easy deployment of third-party products for logging and monitoring. All that and it's vendor neutral so you can mostly run your workload anywhere.
Makes managing a microservice deployment less of a nightmare.
"It solves many small things in a consistent manner. Encourages you to .... manage secrets responsibly."
It doesn't, without 3rd party application help. It encourages you to put it in a repo.
"All that and it's vendor neutral so you can mostly run your workload anywhere."
That is if you run the vanilla kubernetes, not managed instances from AWS, Azure, Google, Oracle or Red Hat, increasing your management and security complexities, hence the article (not that they don't expose them also).
"Makes managing a microservice deployment less of a nightmare."
But still a nightmare, especially with application development complexities, 'cloud native'.
Thank you for the attempt, but I'm none the wiser. I was hoping for a concrete example along the lines of: “I moved this image processing tasks from Photoshop on windows to the Gimp on Linux, following which I was able to automate the process thanks to the gimp's scriptability and I cut down processing time from 20 to 2 minutes per image”.
Well this is... massively not news, not really sure why Shadowserver are acting like it is :P Binary Edge, Censys and Shodan have been indexing k8s servers on the Internet for quite a while (I did a write-up on some of the exposures https://raesene.github.io/blog/2021/06/05/A-Census-of-Kubernetes-Clusters/ )
The reason for the high number (IME at least) is that the major managed k8s distributions (AKS, GKE, EKS) all default to exposing the API server on the Internet. There's a load of possible problems with this, not least of which is that Kubernetes features multiple authentication methods with non-expiring credentials, so an attacker who steals creds (or a disgruntled ex-admin) can easily get access.
Yeah.
Most people keep it public because private clusters are way harder to build and operate. Suddenly you need private DNS resolution, jump hosts for access to the API, private build nodes so that CI / CD can build and deploy. The cloud provider UI can no longer show you workload info unless you VPN in so you'll need a VPN too).
And then you find out you need special resources to keep all the private bits to talk to each other. Did I mention that those are only available in the premium tier? No? Well, they are so everything will cost 3x what you thought it would.
It's probably not worth it. Access to the API is secured with certs (at least) so you would have to be extremely risk-averse to go down that rabbit hole.
At least on GKE it was actually fairly simple to spin up a private cluster and also simple to administer it and get workload info via the interface. The problems can arise when the cluster needs access to 3rd party APIs off cluster as you then need Cloud NAT, I think it was, and that has rate limiting in it as to how many outbound connections you can make per server (of maybe 1000 every 2 minutes or so) so its not any good for very chatty applications IME.
"Shadowserver recommended that enterprises using a Kubernetes API server that is accessible implement authorization for access or block it at the firewall to reduce the attack surface"
It no longer amazes (but it does sadden) me that such basic precautions are not automatically taken, but have to be advised by independent security experts.
When I got to the part about firewall rules, the default is.... allow all.
The entire project feels like a tour de force in how to do the right thing either the wrong way or at the wrong time, but that finally broke me. I could not bring myself to continue.
Borg is an excellent solution to Google's internal problems. K8s...is a Go training tool for potential future Googlers. Nothing else makes any sense.
I AM THE MANAGER<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>A DEVELOPER!
But I prefer to call myself a SWE.
Sure, your average dev hasn't had to think about anything below level 7 since that lecture he slept through back in school. I'm not suggesting that such a person has any business in this space.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
