Hi, I have a weird problem with my Rancher installation I use for testing/learning, where an admin user gets created when I deploy a cluster using an unofficial driver for Hetzner Cloud. Please see the Github issue linked below for more details. Question: is it possible, as I suspect, for a custom node driver to somehow compromise a Rancher installation by creating admin users etc? Am I dreaming? After all it’s binary code that gets executed by Rancher, right?
Otherwise, is there any other possible explanation for what I have described? My Rancher server (it’s a single node install) has SSH root access and password auth disabled, has Fail2ban installed, a firewall etc etc, and there’s nothing else installed other than Rancher. Only thing is that Rancher is exposed directly to the Internet instead of being behind a reverse proxy (as it was easier for the Let’s encrypt thing). Could Rancher have been compromised?
Thanks in advance for your help.