[nineteen999]

This is one of the side-effects of products having enormous hype in this industry.

Far too many people are adopting Docker/Kubernetes as they have been the hot new product for the last couple of years, often regardless of whether they are actually the best or most appropriate tool for the job.

A lot of the people who get sucked into the hype are often inexperienced programmers, devops or admin types who are in positions of power or influence in companies that they probably shouldn't be, IMHO.

As a result, they don't have the Linux or networking experience to be able to know when they are deploying these complex products securely or not, and they are putting their employers businesses at risk.

[andrewstuart2]

I disagree that hype leads to the problem you describe. Kubernetes is good at its job, and therefore it's popular, and therefore it's used by people who may not understand it.

You could say the exact same thing about Linux, Cisco, Dell, or pretty much any of the popular FOSS projects. Popular things, regardless of their complexity, get chosen by people of all experience levels. Inexperienced people are less likely to properly configure something, regardless of its popularity or hype.

If anything, having a few attractive projects tends to be beneficial (or at least neutral) for security as there are so many more people scrutinizing it, and many more people learning how to properly use it.

[ram_rar]

>A lot of the people who get sucked into the hype are often inexperienced programmers, devops or admin types who are in positions of power or influence in companies that they probably shouldn't be, IMHO.

I cannot agree more. Many times, I feel you da easily do away with ansible and terraform to setup VMs / docker. you dont quite need k8s. Just cuz K8s are cool.. people feel the need to use it.

[ownagefool]

It's more complicated that that. Whilst some people are probably jumping on kubernetes for the hype, there's a lot of things it makes really easy, especially for less experience teams.

For example:

- You want to spin up ephemeral environments to test PRs end2end. Sure, create a namespace, deploy your charts and run your tests. You want to do that with ansible, sure you can, but it's harder.

- You org is running apps via a multi-cloud and on-prem strategy? Okay, lets just write lots of tooling per cloud and another for on-prem, or we could abstract that away via kubernetes and only worry about tooling for kube itself.

- You want to do have rolling-upgrades. Sure, you build them with ansible then, or you could just use kubes.

Further to that, kubernetes is guiding reasonble abstractions, seperating infrastructure from code. Sure, it comes with complexity, but so does most things when you start throwing in scaling and auto-recovery.

For example, deploy terraform from your laptop? The device you probably browse porn on has becomes an attack surface. Move this to Jenkins, the CI is the attack surface. Put your code on Bitbucket? Bitbucket and the Jenkinsfile becomes the attack surface. Pretty much everything we do has complexity and attack surface _problems_ and using a managed k8s service will allow you some easy wins so you can actually think about those other problems, and those solutions will work on all platforms you can run k8s on.

[nineteen999]

Can I ask because I'm genuinely interested - what on earth do you do for third-party applications (for eg. closed source) that have to be integrated into your environment that don't come pre-packaged in a convenient container?

Do you containerize these yourselves, whether or not the vendor says that will support that? Or does it get pushed to some other team that manages whole VM's/AWS instances that are not container hosts.

Or is this a scenario that just doesn't happen in your environment?

Genuinely curious.

Also:

> using a managed k8s service will allow you some easy wins so you can actually think about those other problems, and those solutions will work on all platforms you can run k8s on

None of which matters one jot, if one cannot properly manage ingress/egress filtering on one's API endpoints, or a reasonable level of password/credential security. One will be used for cryptomining or worse, as per the fine article.

In that instance, one needs to go back and get some basic UNIX/Linux/network and security training before one starts playing with complicated software on publicly connected clouds. Or hire some people who actually know what they are doing with respect to that.

[ownagefool]

> Can I ask because I'm genuinely interested - what on earth do you do for third-party applications (for eg. closed source) that have to be integrated into your environment that don't come pre-packaged in a convenient container?

Depends what it is. I've taken a number of apps and wrapped them into docker containers and then written a helm chart. Some orgs get a bit skittish over "vendor support" but this usually only matters when they think it's a key product.

The point is, once you have a fleet, you should manage everything the same. If you're off building other pet services, you're going to have capacity problems.

> None of which matters one jot, if one cannot properly manage ingress/egress filtering on one's API endpoints, or a reasonable level of password/credential security. One will be used for cryptomining or worse, as per the fine article.

I mean sure, but I did say use a managed service, which will come with auth. Similarly I wouldn't recommend you host services on any cloud or network facing the public, without a professional involved.

For example AWS is easy to get wrong all the same. One of my current client is busy hiring developers with no experience to put services on AWS, and they came up with no encryption, no auth, no monitoring, misconfigured IAM. What's really the difference between that and kube?

[rescbr]

> Do you containerize these yourselves, whether or not the vendor says that will support that? Or does it get pushed to some other team that manages whole VM's/AWS instances that are not container hosts.

Working with large enterprises, I've seen both. If there's a good business case for the risk vs rewards (i.e. containers providing something technically useful which can be translated directly into revenue) and a good engineering + management team, some companies will actually risk it.

There's also the factor of how good the company's relationship with the third-party vendor is. Some companies have the weight to make the vendor support the unsupportable.

[speedplane]

I dunno, any cluster with more than 5 servers is a pain to deal with without something like kubernetes.

[justicezyx]

Note K8s is designed to control a lot of machines, sometime the entire fleet of smbs.

So itself should be more sensitive than other infrastructure pieces.

And I think op meant to say that, not that k8s is particularly bad in security in general. Or k8s is less experienced in security.

The down vote is not warranted.

[outworlder]

The "hype" part is pretty subjective and may have warranted down votes.

It's not hype if it solves a lot of organizations pain points.

[justicezyx]

Let's be honest, pretty much every new tech got hyped initially.

K8s is no doubt hype, otherwise it won't enjoy the explosive growth.

That's not subjective, at least IMHO

[bonesss]

It's the delineation of 'hype' and 'excitment' that is tricky.

If magic CPUs that were 10x better showed up tomorrow we'd all be justified in being very excited. But running with hype around the next Zune? ... that's not excitement backed with meaning.

[justicezyx]

Then we should agree to disagree.

[cobookman]

Why do you assume that other platforms are not at similar risk?

VMs also have zero-days that have been exploited for cryptomining.

[nineteen999]

I don't assume that at all. I mentioned Docker explicitly and people are pulling Docker containers from untrusted sources with malware pre-installed, because they lack the experience that would tell them that pulling untrusted Docker containers and running them is a bad idea.

https://threatpost.com/malicious-docker-containers-earn-cryp...

From the article itself, although they mention the CVE at the top, the real point they are making is that people are deploying the products with poor defaults:

"as is typical with our findings, lots of companies are exposing their Kubernetes API with no authentication; inside the Kubernetes cluster"

Not to mention a bunch of NoSQL type db's you can easily search on Shodan if you wanted to have some fun.

So yes - the problem here is experience, or lack thereof, and not Kubernetes itself. The CVE can be patched. You can't patch inexperience - except with experience I suppose.

All I am saying is that there a lot of people who are downloading and deploying these products because of hype, who are unable or unwilling to secure them.

[cbzbc]

Leaving aside NoSQL db's - there's also a ton of normal SQL databases wide open, I don't think hype is necessarily the issue there.

[nineteen999]

Sure, maybe your average garden variety Postgres or MySQL instances, and probably some MS-SQL as well. Companies that have a large investment in commercial RDBMS (eg. Oracle, DB2, etc) tend not to be so careless in my experience.

[balgan]

CEO of BinaryEdge here, ur 100% right. If I show you the queue of posts we have you'd see similar posts to this one just with different technologies that we have seen being infected or misused(etcd, docker, and about 10 or 20 more types of DB's).