We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is a popular open-source system for automating deployment, scaling, and management of containerized applications.
We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.
While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface. They also allow for information leakage on version and builds.
How we scan
We scan daily with a HTTP GET request using the /version URI. We scan all of the IPv4 space on ports 6443 and 443. We include only Kubernetes servers that respond with a 200 OK (with accompanying JSON response), and hence disclose version information in their response. We do not perform any intrusive checks to determine the level of access that can be obtained.
A scan result for 2022-05-16 uncovers 381,645 unique IPs responding with a 200 OK HTTP response to our probes. This is out of the 454,729 Kubernetes API instances we see. The “open” API instances thus constitute nearly 84% of all instances that we can scan for on the Ipv4 Internet.
Most accessible Kubernetes API servers are found in the United States – 201,348 (nearly 53%).
Accessible Kubernetes major/minor version breakdown:
1.2 4 1.5 90 1.6 6 1.7 4 1.8 53 1.9 41 1.10 95 1.11 199 1.12 497 1.13 383 1.14 1542 1.15 1310 1.16 3678 1.17 34918 1.18 33877 1.19 50902 1.20 65487 1.21 148645 1.22 33221 1.23 9518 1.24 585 1.25 4
Top accessible platforms:
linux/amd64 384240 linux/arm64 683 linux/ppc64le 134 linux/s390x 8 linux/arm 4
If you are notified of an instance that is accessible, please consider implementing authorization for access or block at the firewall level to reduce your exposed attack surface.
You can read more on securing access to the Kubernetes API in this official guide.
If your Kubernetes API endpoint is available on an IP you were not expecting, and you use kube-proxy in IPVS mode see https://github.com/kubernetes/kubernetes/pull/108460
For more information on our scanning efforts, check out our Internet scanning summary page.
Subscribe to get free data on accessible Kubernetes instances in your network or constituency!
Details about the format of the new report being shared can be found in the Accessible Kubernetes API server report. If you are an existing subscriber you will get the report daily should any IP be found in your network/constituency.
For a mapping of all Kubernetes API services on your network/constituency (including ones that do not allow for any form of access) check out our Device Identification Report.
If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new report and our other existing report types (covering not just other scan results, but observations from sinkholes, honeypots, darknets, sandboxes, blocklists and other sources), then please sign up to our free daily public benefit network remediation feed service.