Etcd, a key-value store and a core component of Kubernetes clusters, is used to store highly sensitive configuration data but is also easily left unprotected, as a developer recently found.
Puerto Rican software developer Giovanni Collazo was looking into etcd, first developed by CoreOS, and realized that before version 2.1, released in July 2015, it didn’t support any type of authentication. Even after it was added, this feature was kept off by default for backward compatibility reasons.
A similar approach was taken by MongoDB developers in the past and resulted in thousands of insecure deployments on the internet that were abused by hackers. So, Collazo set out to see if etcd’s design decisions had a similar effect.
Read more at The New Stack