Is this a BUG REPORT or FEATURE REQUEST?:
Uncomment only one, leave it on its own line:
/kind bug
/kind enhancement
What happened:
After installing kubevirt 0.9.1 and 0.10.0 we found that apicalls are opening ports and there is a bot crawling for this, we had to make sure firewalls are strict (as they should be) but this was for a test env, remove the commands being run, and reboot with strict instance firewall rules and os.
What you expected to happen:
Not this
How to reproduce it (as minimally and precisely as possible):
Keep kubevirt open to the world and wait a week or a few days.
Anything else we need to know?:
root 931 71.9 0.0 98684 12840 ? Ssl Dec02 1388:34 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 2515 53.7 0.0 98552 12900 ? Ssl Dec02 696:45 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 9818 153 0.0 98680 12952 ? Ssl Nov30 7820:37 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 10043 66.7 0.0 98672 12884 ? Ssl 07:59 441:56 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 10080 128 0.0 98680 12936 ? Ssl Nov30 5760:35 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
root 10700 272 0.0 98688 12944 ? Ssl Nov29 15644:23 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 10743 44.9 0.0 98536 12888 ? Ssl 07:59 297:15 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 19210 171 0.0 98680 12844 ? Ssl Dec01 5492:09 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
Environment:
virtctl version): 0.9.1 & 0.10.0kubectl version): 1.10.4uname -a): (had to restart instance and lost serial connection)After installing kubevirt 0.9.1 and 0.10.0 we found that apicalls are opening ports and there is a bot crawling for this, we had to make sure firewalls are strict (as they should be) but this was for a test env, remove the commands being run, and reboot with strict instance firewall rules and os.
@bitbucket90 If this is really the case then this sounds severe. I am however not sure I understand this report. Mabye you can help us out with some more details. How did you install kubevirt?
At least this repo kubevirt/kubevirt and the manifest we provide on the release page do not open any ports in any way I know of. Which API calls are happening?
I see that you used GCP, is GCP by default enabling a firewall?
@bitbucket90 What do you mean by Keep kubevirt open to the world, I know you can create GCE load balancer to make external access to the cluster, but it should expose just specified services and ports.
@bitbucket90 how did you deploy kubevirt?
Kubevirt is being deployed per your recommendations (env arg then the kubectl apply -f httplink) We are doing this in a managed K8 single node cluster (using our propitiatory management system) the issue however seems to have happened twice, and may not be related to https://github.com/kubernetes/kubernetes/issues/71411 ; I believe @fabiand emailed me and am going to setup a call.
There was ingress allowed all for all ports with no limits on ip's to test some vnc clients, which is NOT recommended, however the same malware (looks to be a miner) found its way in and deployed and this was on the following:
Docker 17.06 CE, K8 1.10.4, KV 0.10.0 & 0.9.1, Ubuntu 16.04 updated to latest, no password ssh all keys. I have run this exact same setup with ports open, no kubevirt, and nothing was compromised (could be luck of the "crawl")
@bitbucket90 given the issue reported on ingress-nginx can you confirm whether or not you're using nginx for ingress?
@bitbucket90 given the issue reported on ingress-nginx can you confirm whether or not you're using nginx for ingress?
This would be it. I do apologize for the lack of response.
After receiving message from a colleague this was not deployed with nginx as ingress, however its the same crypto miner.
You mentioned 1.10.4. you sure its not https://github.com/kubernetes/kubernetes/issues/71411 ?
You mentioned 1.10.4. you sure its not kubernetes/kubernetes#71411 ?
That is what we are thinking this is related to after speaking with a few others.