All the details on the referenced planes can be found at Resiliency Planes.
kubelet runs in host networking mode. This means that port 10250 is exposed on the host network. The port 10250 on the
kubelet is used by the
kube-apiserver (running on hosts labeled as Orchestration Plane) for exec and logs. It’s very important to lock down access to this port, only the hosts labeled as Orchestration Plane should be able to access
kubelet on port 10250.
Note: When using Rancher v1.6.15 and higher, the kubelet port is secured and can be only be accessed with a certificate internally generated by Rancher.
There is also a read-only port on the
kubelet, port 10255. This can be queried to gather container stats, and is used by
heapster. As this can show possible sensitive data, only hosts labeled as Compute Plane should be able to access
kubelet on port 10255.
kubelet exposes port 4194 for
cAdvisor. While Kubernetes is in the process of deprecating this functionality, it’s important to lock down this port so no information is exposed from this interface.