Over 900K Kubernetes clusters are misconfigured! Is yours a target?

Over 900K Kubernetes clusters are misconfigured! Is your cluster a target?

Many thanks to the great team at Teleport, who have sponsored my writing for the past week.

Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious hackers if it is not properly secured. In this article, we will discuss how to secure your Kubernetes cluster and protect it from attack.

The scan from cyble found over 900K Kubernetes clusters exposed to the internet, with over 800 returning an `200 OK` Response code when queried. This means that an anonymous user can potentially get full access to the pods and the Kubernetes Dashboard.

Having a public Kubernetes API server endpoint isn’t necessarily a bad thing. With the correct authentication, it’s OK to keep it public. But as Kubernetes vulnerabilities are found, it’s a good idea to limit the API server endpoint access to only those that need it.

For people self hosts, you can limit IP addresses using software-based firewalls and if using a hosted Kubernetes service, many offer the ability to make the API either Public, Limited per CIDR or Private. Private only lets access via a VPC and completely disables public internet access to the API Server. If using AWS, EKS information on securing the public endpoint is available here.

Teleport 2

Providing secure access at scale?
One problem with the above proposal is it’s either limited to static CIDR blocks (what happens if I work from home or go to the office?) — or I need a method of using a bastion or jump host to get into the VPC. This is where an OSS tool such as Teleport can provide the solution. Teleport is an identity-based access plane that can be deployed in a public subnet to provide a secure gateway to one or many Kubernetes clusters.

Decommission unused auth methods and unused tokens
Perform periodic review of unused auth methods and auth tokens and remove or disable them. Administrators often use certain tools to help ease setup with the Kubernetes cluster and later switch to other methods for managing clusters. It is important in this case that previously used auth methods and tokens are thoroughly reviewed and decommissioned if they’re no longer being used. There are a lot of small tweaks and improvements that can be made to harden and secure access to Kubernetes API.

Audit Kubernetes Access
Once deployed to production, it’s important to have full visibility into what’s happening when someone is accessing a cluster. Teleport can provide visibility into kubectl API requests, link access back to a user and even have complete interactive playback for kubectl execs.

Teleport Kubernetes Audit Log

Keep the hackers at bay
As Kubernetes has grown in popularity, it’s becoming an increasingly likely target for hackers. There are a range of ways in which hackers can compromise access to a Kubernetes system. By knowing how to hack Kubernetes, you’ll have a better understanding on how to protect it.

There are a number of ways to secure your Kubernetes cluster, including restricting access to the API server, providing secure access at scale, and auditing Kubernetes access. Teleport can help with securing access to Kubernetes clusters and providing visibility into API requests. By following these tips, you can protect your Kubernetes cluster from attack and keep hackers at bay.

Download Teleport OSS for free and join the 2K-strong Teleport Slack community working together to better protect their infrastructure.

If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about cybersecurity, you can find more information here.