Halloween is around the corner! 🎃
Imagine that you’re with your cloud-native friends, sitting around the fireplace, having some s’mores, and telling spooky stories.
Here are our best spooky stories for the cloud community. Enjoy them, and have an awesome Halloween!
You won’t want to come across… THE THING!
On a regular Friday night, a DevOps Engineer applied a new Deployment
in a quiet southern node called Cluster Valley. Then they went home with their family without a worry.
What they didn’t know was that one of the pods had a radioactive ☢️ memory leak.
Our poor engineer hadn’t set up the memory limits, so disaster began early in the night.
A radioactive mass started to grow uncontrolled in the Node 01 neighborhood. The Thing was eating everything that it encountered, forcing the Node 01 neighbors to abandon their homes.
The Thing advanced slowly but relentlessly through the node, consuming all the memory that it found in its way.
Early Monday morning, the DevOps engineer came back to the office just to witness the disaster. Everything was chaos… There was no one left in Node 01, but The Thing. Node 01 became a ghost node👻, and stopped responding to all attempts of intervention.
From time to time, a Prometheus instance set by the admins of Cluster Valley receives a sample of Healthy Node from the neighborhood, but that’s all. Some people say that The Thing is still there, consuming memory from Node1, just letting enough to keep the kernel alive (if that can be called life).
Kids, don’t forget to rightsize the memory limits in your radioactive clusters, and in the regular clusters as well!
David de Torres – Integrations Engineer at Sysdig
Beware of the mutant tag!
This story starts with two lovely images, foo:2.4.5, and bar:1.0.0-rc1. They were happy images living in Container Land. They met at a cluster party on Oct. 31st and fell in love.
In a few months, they were living together in the same repository and they also created alice:latest and bob:slim.
Next year, on Halloween night, alice:latest and bob:slim decided to investigate the dark neighbor’s home. All the doors and windows were open, as if no one lived in the house.
The place gave off a strange scent and it felt like they were being watched through the shadows.
Soon, alice:latest and bob:slim realized they were in danger but it was too late – something was grabbing them and they couldn’t get free… From the gloomy house came out two tags very similar to them but different. Mutants!
Foo:2.45 and bar:1.0.0-rc1 arrived home after a hard workload day and noticed something weird happened to their children. They were now terrifying mutant monsters, full of horrible vulnerabilities, eating anyone asking “tip or trick.” They should have paid attention to the tags, as they were mutants!
Alvaro Iradier – Product Analyst at Sysdig
Falco Van Helsing against the Mining Vampires
A new container arrived at Node Town. It was a container from distant lands that made money in mining and now wanted to retire in a calm, quiet town. Soon after, something or someone started devouring the blood (a.k.a. CPU) of the poor Pod neighbors.
“This is a job for the best detective!,” said the SRE Mayor. Then they called Falco Van-Helsing, a very well-known detective and hero of the cloud-native community 🧛.
Van-Helsing traced the footprints of a beast that was bloodsucking all the CPU blood of Node Town, but it wasn;t easy. The monster used to hide, and there were no clues in plain sight that hinted at who was leaving all the pods exhausted.
After sneaking into the darkness of Kernel Alley, Van-Helsing discovered some syscalls that revealed how the Vampire container hid in the sewers of Node Town. So Van Helsing started chasing them. It happened to be the new rich miner container, disguised as an inoffensive workload, who was vampirizing the whole town’s CPU!
The Vampire presented a great battle but no attacker could beat all the information that Van Helsing collected. Our detective said out loud, “By The Power of Root, abandon this cluster!” And the vampire container was expelled from Node Town for the greater good.
Bloodsuckers, if you like to read other epic battles from Falco Van-Helsing, don’t miss this one where he fought the Sysrv Botnet.
Jesus Samitier – DevOps Content Engineer at Sysdig
A Series of Unfortunate kernel Events, by Falcony Snicket
If you’re interested in stories with happy endings, you would be better off reading some articles. Read technical docs from any CNCF project, or even make a Pull Request to an open-source project. 🧡Everyone loves contributing to open source projects🧡.
This article doesn’t have a happy ending… but it doesn’t have a happy beginning either! This is because very few happy things happened to the three Podelaire youngsters.
My name is Falcony Snicket, and it is my duty to log the series of unfortunate kernel events that are the Podelaire orphans. But that is my duty, not yours. You could stop reading this blog and make something that would not pull you into a hole of sadness and despair, like watering your plants or feeding an alligator.
The extraordinary Podelaire orphans face trials, tribulations, and the evil Count Alif👺 in their quest to unlock long-held family credentials.
The evils happened one after the other. First, Alif exploited an IAM misconfiguration and went into the account to start exposing all the Podelaire’s assets to the internet. Every inbound port has the rule to accept connections from the whole internet (0.0.0.0/0 & ::/0).
When the Podelaire Orphans logged into the console to solve it, they discovered that MFA had been disabled for all accounts. “Don’t worry, we’ll recover a stable configuration and fix this,” said one of the orphans. But they lost that optimism after they realized that all the S3 backups had been systematically deleted. Everything was lost.
They thought it was all over. However, the evil Count Alif continued with the wicked activity.
Here comes the terrible ending for the three Podelaire orphans. They tried to elude all the traps set for them, but they could never feel safe as Count Alif always returned with more chaos, like making their credentials visible in sticky notes all over the place!
There’s nothing we can do to help these orphans… but keep calm. When something like this happens and you need to resolve it effectively, use this unified threat detection for cloud and containers.
Miguel Hernández – Security Content Engineer at Sysdig
Do you want to be safe?
We hope all of you have enjoyed reading this article as much as we did writing it. All of these stories can come true if best security practices are not followed.