Kubernetes Security Issues: Nearly a Million Instances Exposed on Internet

eSecurityPlanet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Cybersecurity researchers have found more than 900,000 instances of Kubernetes consoles exposed on the internet.

Cyble researchers detected misconfigured Kubernetes instances that could expose hundreds of thousands of organizations. The researchers found a number of indicators of exposure in the open source container orchestration platform:

  • KubernetesDashboard
  • Kubernetes-master
  • Kubernetes Kube K8
  • Favicon:2130463260, -1203021870

The threat-hunting exercise led to some general findings on risk exposure:

  • The United States has the highest exposure count by far (65%), followed by China (14%) and Germany (9%)
  • The top ports in use are 443, 10250, and 6443

Also read: Top Container Security Solutions

Kubernetes Security Issues and Risks

Kubernetes is a very popular container orchestration system. The name comes from the Greek word for “helmsman.” The term “K8s” or “K-eights” is also used to refer to this technology.

Many organizations manage their applications with Kubernetes using self-contained units called “pods,” which share common resources with other units without being aware of each other. For example, “npm start” or “go run” processes can be managed in pods and share some CPU and RAM.

K8s is helpful to deploy, manage, and scale containers, which often consist of micro-services and their configuration files. When the workload increases or decreases, Kubernetes can handle the situation automatically.

As a result, an important security aspect of Kubernetes is access control. Any misconfiguration can lead to unwanted disclosures and attackers could even use them to escape containers and escalate privileges. Besides, Kubernetes provides APIs, CLI commands, and user interfaces that could be attractive for hackers.

Cyble explained its scan “does not necessarily imply that all exposed instances are vulnerable to attacks or will lead to the loss of sensitive data,” but “emphasizes the existence of seemingly simple misconfiguration practices that might make companies lucrative targets for TAs in the future.”

How to Protect Kubernetes

While you cannot anticipate everything, there are good practices for Kubernetes pods security:

  • Allow non-root users only
  • Run regular vulnerability scans against containers (misconfigurations will be spotted)
  • Use Kubernetes secrets instead of hard coded credentials in configuration files
  • Disable anonymous login
  • Harden authentication, especially when it’s not enabled by default
  • Update and apply all security patches
  • Remove useless or no longer used components

Also, be extra-vigilant with the error codes returned by Kubernetes APIs. Hackers will likely use them to determine whether they can attempt further attacks or not. For example, if the Kubelet API, which handles communications between the Kubernetes control plane and the nodes, accepts unauthenticated requests but returns a 403 error, hackers will probably stop attacking it.

However, if it returns a 401, they might try other exploits, as such an error shows a Kubernetes cluster is functioning in the environment.

Cyble’s results revealed “a small subset of 799 Kubernetes instances that return a status code 200, which are completely exposed to external attackers. In these cases, threat actors can access the nodes on the Kubernetes Dashboard without a password, access all secrets, perform actions, etc.”

Read next: Container & Kubernetes Security Best Practices

Julien Maury
Julien Maury
eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles