Kubernetes - Security

All the details on the referenced planes can be found at Resiliency Planes.


The kubelet runs in host networking mode. This means that port 10250 is exposed on the host network. The port 10250 on the kubelet is used by the kube-apiserver (running on hosts labeled as Orchestration Plane) for exec and logs. It’s very important to lock down access to this port, only the hosts labeled as Orchestration Plane should be able to access kubelet on port 10250.

Note: When using Rancher v1.6.15 and higher, the kubelet port is secured and can be only be accessed with a certificate internally generated by Rancher.

There is also a read-only port on the kubelet, port 10255. This can be queried to gather container stats, and is used by heapster. As this can show possible sensitive data, only hosts labeled as Compute Plane should be able to access kubelet on port 10255.

Finally kubelet exposes port 4194 for cAdvisor. While Kubernetes is in the process of deprecating this functionality, it’s important to lock down this port so no information is exposed from this interface.

Edit this page