• K8s решето Kubernetes кубер школотроны blog.aquasec.com

    Most clusters were tied to small- to medium-sized organizations, but a notable subset was connected to large conglomerates and Fortune 500 companies, Aqua Security said. The exposures were a result of two misconfigurations: one that allows anonymous access with privileges and another that exposes Kubernetes clusters to the internet.

    Over a three-month period, the researchers identified 350+ API servers which could be exploited by attackers, they wrote. Upon analyzing the newly discovered hosts, the team found that 72% had ports 443 and 6443 exposed (these are the default HTTPS ports). They also found that 19% of the hosts used HTTP ports such as 8001 and 8080, while the rest used less common ports (e.g., 9999).

    The second issue is a misconfiguration of the `kubectl` proxy with flags that unknowingly expose the Kubernetes cluster to the internet, the researchers said. Impacted hosts included organizations across a variety of sectors such as financial services, aerospace, automotive, industrial, and security.

    "When you run the same command with the following flags '–address=`0.0.0.0` –accept-hosts `.*`', the proxy on your workstation will now listen and forward authorized and authenticated requests to the API server from any host that has HTTP access to the workstation. Mind, that the privileges are the same privileges that the user who ran the 'kubectl proxy' command has."
  • k8s удобен и полезен в единственном случае — для большой ИТ-корпорации, которой нужен универсальный инструмент для массовой кластеризации старого ПО не предназначенного для кластеров,
    в остальных случаях обычно трудозатраты на k8s превышают трудозатраты на встраивание в ПО нативной кластеризации
  • @cypa, наоборот, ПО должно быть микросервисным — спроектированном в парадигме Cloud Ready — по пресловутым 15 факторам:

    12factor.net

    developer.ibm.com



    остальное — согласен, ты понимаешь не хуже, чем я сам