
Hacking DigitalOcean's New Kubernetes Service - developer2
https://www.4armed.com/blog/hacking-digitalocean-kubernetes/
======
merb
the only problem i see is one thing. once you have the access token you can
access all resources in all projects.

but besides that, you only breach/change your own account. I mean keep in mind
the GKE cluster does not use NetworkPolicy or other stuff to secure their
cluster, too.

~~~
raesene9
exposing the etcd key via the metadata service and then having etcd visible on
the Internet is bad.

This means that a single SSRF or RCE bug in any application running on a
cluster using this approach can be trivially escalated to full cluster
compromise.

