EN
Русский
TCP
Dangerous
Other
Port 10250 (Kubelet)
Learn about port 10250 (Kubelet) - security risks, vulnerabilities, and common uses. Find devices with port 10250 open.
Quick Info
Port Number
10250
Protocol
TCP
Service
Kubelet
IANA Name
Kubelet
Service Description
Network port 10250 (TCP) is primarily associated with the Kubelet in Kubernetes. The Kubelet is the primary "node agent" that runs on each node in the cluster. Its role is to manage the containers running on that node. Port 10250 is used for the Kubelet's API server, which exposes various endpoints for querying node status, executing commands in containers, and retrieving logs. This API allows the Kubernetes control plane (specifically the API server) to communicate with and manage the Kubelet.
Technically, the Kubelet API server on port 10250 uses the HTTP protocol (often HTTPS with TLS enabled). The Kubernetes API server uses this port to send commands to the Kubelet, such as creating, starting, stopping, or deleting containers. The Kubelet then interacts with the container runtime (e.g., Docker, containerd, CRI-O) to execute these commands. This communication is bidirectional; the Kubelet also reports the status of the node and its containers back to the Kubernetes API server via this API. Authentication and authorization mechanisms, such as TLS certificates and authentication tokens, are crucial to secure this communication.
## Firewall Recommendations
The Kubelet API on port 10250 should be strictly firewalled to restrict access only from authorized sources, such as the Kubernetes API server and monitoring systems. Ideally, this port should not be exposed to the public internet. If external access is absolutely necessary, strong authentication and authorization mechanisms, such as TLS certificates and RBAC (Role-Based Access Control), must be implemented. Consider using network policies within the Kubernetes cluster to further restrict traffic to and from the Kubelet. Regularly audit and review firewall rules and authentication configurations to ensure they remain secure. Disable anonymous authentication and authorization modes. Use mutual TLS (mTLS) for enhanced security. Regularly update the Kubelet to the latest version to patch known vulnerabilities.
Technically, the Kubelet API server on port 10250 uses the HTTP protocol (often HTTPS with TLS enabled). The Kubernetes API server uses this port to send commands to the Kubelet, such as creating, starting, stopping, or deleting containers. The Kubelet then interacts with the container runtime (e.g., Docker, containerd, CRI-O) to execute these commands. This communication is bidirectional; the Kubelet also reports the status of the node and its containers back to the Kubernetes API server via this API. Authentication and authorization mechanisms, such as TLS certificates and authentication tokens, are crucial to secure this communication.
## Firewall Recommendations
The Kubelet API on port 10250 should be strictly firewalled to restrict access only from authorized sources, such as the Kubernetes API server and monitoring systems. Ideally, this port should not be exposed to the public internet. If external access is absolutely necessary, strong authentication and authorization mechanisms, such as TLS certificates and RBAC (Role-Based Access Control), must be implemented. Consider using network policies within the Kubernetes cluster to further restrict traffic to and from the Kubelet. Regularly audit and review firewall rules and authentication configurations to ensure they remain secure. Disable anonymous authentication and authorization modes. Use mutual TLS (mTLS) for enhanced security. Regularly update the Kubelet to the latest version to patch known vulnerabilities.
Security Information
Exposing the Kubelet API on port 10250 without proper authentication and authorization poses significant security risks. Attackers could potentially gain control over the node and its containers, allowing them to execute arbitrary code, access sensitive data, or disrupt the cluster's operation. Common attack vectors include exploiting misconfigured authentication settings, exploiting known vulnerabilities in the Kubelet itself, or using compromised credentials to access the API. The Kubelet API provides extensive control over the node, making it a high-value target for attackers seeking to compromise a Kubernetes cluster. Unauthenticated or weakly authenticated access can lead to container escape, privilege escalation, and ultimately, complete cluster compromise. Even if authenticated, insufficient authorization controls can allow users or services to perform actions they are not intended to, leading to similar outcomes.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2023-3676 | Kubernetes Kubelet Improper Input Validation Vulnerability | High | The Kubelet component of Kubernetes is vulnerable to improper input validation. An attacker could exploit this vulnerability to execute arbitrary code on the node. |
| CVE-2023-3955 | Kubernetes Kubelet Information Disclosure Vulnerability | Medium | The Kubelet component of Kubernetes is vulnerable to information disclosure. An attacker could exploit this vulnerability to gain access to sensitive information about the cluster. |
Common Software
- Kubernetes (Kubelet)
- kube-apiserver
- Prometheus (for metrics scraping)
- Node Exporter (when configured to scrape Kubelet metrics)
Find devices with this port
Discover all devices with port 10250 open in any country.
Search Port 10250Find all devices with port 10250 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning