grafclouds.com / documents / training / devops-challenges / compromised-container-incident

A Container in Prod Is Mining Crypto

Advanced ~15 min read
KubernetesSecurity

Scenario

A CPU alert fires on a production Kubernetes pod. Someone execs in to look and finds a cryptocurrency miner running, with steady outbound connections to a host nobody recognizes. The pod backs a public-facing service, carries a mounted service account token, and can read several secrets. How the attacker got in is unknown. The immediate instinct in the incident channel: this pod is burning CPU and making us look bad — kill it.

The Quick Fix on the Table

kubectl delete pod. The miner dies, CPU drops, the alert clears, and the dashboard is green again in ten seconds. Case closed — or so it appears.

Interview · Round 1

The quick fix is on the table and the room is waiting for your call. Would you sign off on it? Take a position and justify it — out loud or on paper — before revealing the analysis.