Skip to content
PortsDB

Port reference

Port 10250 (TCP) – Kubernetes kubelet API

HTTPS API on each Kubernetes node's kubelet for pod lifecycle, logs, exec, and metrics.

tcpRegisteredCommonly attacked

Default state

Open on every node running a kubelet. Hardened clusters require authentication; misconfigured ones allow anonymous access to exec and run commands.

Common attacks

  • Anonymous access to /exec and /run for container and node RCE
  • Listing pods and reading logs to harvest secrets and tokens
  • Pivoting from a compromised node to the API server on 6443
  • Lateral movement across workloads via service account tokens

Hardening

  • Disable kubelet anonymous auth (--anonymous-auth=false)
  • Enable Webhook authorization (--authorization-mode=Webhook)
  • Never expose 10250 to the internet; restrict to the control plane
  • Use NetworkPolicies and firewall node ports
  • Rotate credentials and keep Kubernetes patched

nmap snippet

nmap -p10250 --script ssl-cert,http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 10250?

Port 10250 is the Kubernetes kubelet API, served over HTTPS on every node in the cluster. The control plane and the API server (6443) use it to manage pod lifecycle, stream logs, gather metrics, and exec commands inside running containers. It is one of the most powerful endpoints on a node.

Why it matters for security

The kubelet can run commands in any container on its node. A properly hardened kubelet requires authentication and authorization, but misconfigured ones allow anonymous access, turning 10250 into an unauthenticated remote code execution surface. From a single node, an attacker can read secrets and service account tokens and pivot to the entire cluster.

How it's attacked

Attackers find an anonymous 10250, list pods, and call /exec and /run to execute commands inside containers and on the node itself. They read logs to harvest secrets and service account tokens, then pivot to the API server on 6443 and move laterally across workloads and connected cloud accounts.

Hardening checklist

Disable anonymous auth (--anonymous-auth=false) and enable Webhook authorization (--authorization-mode=Webhook). Never expose 10250 to the internet — restrict it to the control plane with NetworkPolicies and host firewalls. Rotate credentials, apply least-privilege service accounts, and keep Kubernetes patched. Use the nmap snippet to check exposure on clusters you are authorized to test. </content>

Related ports

Port 6443Port 10255Port 2379Port 8443

Frequently asked questions

What is port 10250 used for?
It is the Kubernetes kubelet API, served over HTTPS on every node. The control plane uses it to manage pods, stream logs, and exec into containers. It is one of the most sensitive endpoints on a node.
Why is an exposed kubelet on 10250 dangerous?
If anonymous auth is enabled, anyone reaching 10250 can call /exec and /run to execute commands in containers and on the node, then pivot to the API server on 6443. Disable anonymous auth, enforce Webhook authorization, and keep 10250 private.