back to article 381,000-plus Kubernetes API servers 'exposed to internet'

A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse. Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating …

  1. Anonymous Coward
    Anonymous Coward

    Honest request

    Could someone please explain to me, in simple words, how they successfully used Kubernetes to their benefit? What specific problem did it solve for you?

    1. Gorbachov

      Re: Honest request

      It solves many small things in a consistent manner. Encourages you to containerise your service, apply configuration and manage secrets responsibly.

      Encourages resource consumption management and scales accordingly. The large ecosystem allows for easy deployment of third-party products for logging and monitoring. All that and it's vendor neutral so you can mostly run your workload anywhere.

      Makes managing a microservice deployment less of a nightmare.

      1. Gene Cash Silver badge
        Pint

        Re: Honest request

        Thank you sir. That's the first sane non-foaming-at-the-mouth-fanboi explanation I've heard.

        Cheers.

      2. Anonymous Coward
        Anonymous Coward

        Re: Honest request

        "It solves many small things in a consistent manner. Encourages you to .... manage secrets responsibly."

        It doesn't, without 3rd party application help. It encourages you to put it in a repo.

        "All that and it's vendor neutral so you can mostly run your workload anywhere."

        That is if you run the vanilla kubernetes, not managed instances from AWS, Azure, Google, Oracle or Red Hat, increasing your management and security complexities, hence the article (not that they don't expose them also).

        "Makes managing a microservice deployment less of a nightmare."

        But still a nightmare, especially with application development complexities, 'cloud native'.

      3. Anonymous Coward
        Anonymous Coward

        Re: Honest request

        Thank you for the attempt, but I'm none the wiser. I was hoping for a concrete example along the lines of: “I moved this image processing tasks from Photoshop on windows to the Gimp on Linux, following which I was able to automate the process thanks to the gimp's scriptability and I cut down processing time from 20 to 2 minutes per image”.

  2. raesene

    Well this is... massively not news, not really sure why Shadowserver are acting like it is :P Binary Edge, Censys and Shodan have been indexing k8s servers on the Internet for quite a while (I did a write-up on some of the exposures https://raesene.github.io/blog/2021/06/05/A-Census-of-Kubernetes-Clusters/ )

    The reason for the high number (IME at least) is that the major managed k8s distributions (AKS, GKE, EKS) all default to exposing the API server on the Internet. There's a load of possible problems with this, not least of which is that Kubernetes features multiple authentication methods with non-expiring credentials, so an attacker who steals creds (or a disgruntled ex-admin) can easily get access.

    1. Gorbachov

      Yeah.

      Most people keep it public because private clusters are way harder to build and operate. Suddenly you need private DNS resolution, jump hosts for access to the API, private build nodes so that CI / CD can build and deploy. The cloud provider UI can no longer show you workload info unless you VPN in so you'll need a VPN too).

      And then you find out you need special resources to keep all the private bits to talk to each other. Did I mention that those are only available in the premium tier? No? Well, they are so everything will cost 3x what you thought it would.

      It's probably not worth it. Access to the API is secured with certs (at least) so you would have to be extremely risk-averse to go down that rabbit hole.

      1. Anonymous Coward
        Anonymous Coward

        "Access to the API is secured with certs (at least) so you would have to be extremely risk-averse to go down that rabbit hole."

        If you are not "extremely risk-averse" then you are doing it wrong and should not be playing with servers.

      2. two00lbwaster

        At least on GKE it was actually fairly simple to spin up a private cluster and also simple to administer it and get workload info via the interface. The problems can arise when the cluster needs access to 3rd party APIs off cluster as you then need Cloud NAT, I think it was, and that has rate limiting in it as to how many outbound connections you can make per server (of maybe 1000 every 2 minutes or so) so its not any good for very chatty applications IME.

    2. spireite Silver badge
      Holmes

      but, but, but.....

      All services deplyed in the cloud are safe by default...

      AWS/Azure/GCP all manage my security and harden it for me!!!

      (said no sensible geek,ever)

      ... but beancounters do.... IME

      1. VoiceOfTruth

        Re: but, but, but.....

        -> AWS

        We use AWS. It is clear there is a shared responsibility.

  3. Mike 137 Silver badge

    Incredibly sophisticated concept

    "Shadowserver recommended that enterprises using a Kubernetes API server that is accessible implement authorization for access or block it at the firewall to reduce the attack surface"

    It no longer amazes (but it does sadden) me that such basic precautions are not automatically taken, but have to be advised by independent security experts.

  4. Korev Silver badge
    Joke

    Open-source systems are an increasingly popular target for threat actors. In the era of cloud computing, the attack surface around Linux is only expanding.

    But, but, but I though you don't get security problems if you move off Micros~1 Window$

  5. man_iii
    Trollface

    K8s are u okie Annie?

    Right so scanning /version or /status or just / will result in 200 OK ... Why troll ?

  6. Claptrap314 Silver badge

    I was gifted a K8s admin course

    When I got to the part about firewall rules, the default is.... allow all.

    The entire project feels like a tour de force in how to do the right thing either the wrong way or at the wrong time, but that finally broke me. I could not bring myself to continue.

    Borg is an excellent solution to Google's internal problems. K8s...is a Go training tool for potential future Googlers. Nothing else makes any sense.

    1. Anonymous Coward
      Anonymous Coward

      Re: I was gifted a K8s admin course

      Have you ever tried explaining networks, security or certificates to developers ? Well k8s is their answer to that, ignore it and as long as the button loads up their work is done, some other chump has to make all the other stuff work..

      1. Claptrap314 Silver badge

        Re: I was gifted a K8s admin course

        I AM THE MANAGER<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>A DEVELOPER!

        But I prefer to call myself a SWE.

        Sure, your average dev hasn't had to think about anything below level 7 since that lecture he slept through back in school. I'm not suggesting that such a person has any business in this space.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022