Interesting details on a Kubernetes hack in the wild:https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c …
-
Show this thread
-
I mentioned in my BlackHat talk that ensuring that the kubelet was configured to require mutual TLS auth was critical. This kubelet exec handler was a big reason why I said that :).https://github.com/kayrus/kubelet-exploit …
3 replies 12 retweets 23 likesShow this thread -
Replying to @dinodaizovi
wow ..this guy had a cert but that’s not the issue."The kubernetes api-server was publicly exposed to the internet — but protected with certificate authentication..Unless you specify some flags on Kubelet, it’s default mode of operation is to accept unauthenticated API requests."
1 reply 1 retweet 0 likes -
Replying to @TechJournalist @dinodaizovi
mutually auth TLS is important/ but i had no idea that
#k8s defaulted to accepting unauthenticated API requests. That should be a red flag that blocked@CloudNativeFdn from graduating#Kubernetes1 reply 1 retweet 0 likes -
Replying to @TechJournalist @CloudNativeFdn
The difference is the API Server (expected to be exposed externally from cluster) vs. kubelet (expected to be exposed only inside cluster control plane).
1 reply 0 retweets 2 likes -
yes, reminder that the CNCF produces projects, that we expect our members to build products and configure for their users... see how k8s is used by openshift, cloud providers, etc
2 replies 0 retweets 1 like
I think that is a good point. CNCF is like the Linux Foundation. Deployment configuration is usually distro/vendor responsibility. If you decide to roll your own Linux distro, securing it will take a ton of work too :).
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.