3 votes

Analysis of a Kubernetes hack — Backdooring through kubelet

1 comment

  1. patience_limited

    Unless you specify some flags on Kubelet, it’s default mode of operation is to accept unauthenticated API requests. Keep in mind that in order for master -> node communication to work, the Kubernetes API server must be able to talk to kubelet on your nodes.

    As it turns out, our coworker’s server was also publicly exposing the kubelet ports (tcp 10250, tcp 10255). Although the problem here was obvious, it should raise some questions about your own Kubernetes deployment, as it did for us.

    If your users have network access to your nodes, then the kubelet API is a full featured unauthenticated API backdoor to your cluster.

    That is, if you’ve gone through the trouble of enabling Authentication and Authorization (webhook, RBAC, etc) then you should also ensure your kubelet is properly locked down.

    2 votes