Hello,

I'm the tech lead for Kubernetes at DO. Just wanted to jump in and provide some clarification around the security issues you brought up.

The blog post you're referring to came out in December 2018, shortly after we released DOKS as a Limited Availability offering. By the time we announced our General Availability release in May 2019, we had done the following:

1. Changed our node bootstrapping process so that etcd information is no longer necessary in the metadata API, and removed said etcd information from metadata. 2. Firewalled off etcd so that it's accessible only inside the cluster. 3. Shifted how we run the CSI controller component so that a DO API token no longer needs to be stored as a secret in the cluster. 4. Switched from Flannel to Cilium as the CNI plugin, which allows users to configure network policies. We don't configure any network policies by default, but the option is there for users who want to use them.

These changes fix the vulnerabilities explained in the blog post. We do have further hardening measures planned, including limiting the scope of API tokens (one of the suggestions from the blog post, and also an often-requested feature from DO customers), but that's a big project so we can't provide a firm timeline for it at this point.

Hope this clarifies the current situation. If you or anyone else finds new security issues with DOKS (or other DO products) we would love to know about it. Our security team is always accepting vulnerability reports via their disclosure program: https://www.digitalocean.com/legal/contact-security/

It does, thank you for the in-depth response! I'll refer to this comment if I ever see that post brought up again.

Hey, I ran this by the DOKS team and they confirmed that this was taken care of a while back. Just to clarify, that issue existed while the product was in Limited Availability (think alpha). Nodes are now bootstrapped in a different way that eliminates the need to expose sensitive info in metadata or anywhere within the cluster itself.

Thank you!