Skip to content
PortsDB

Port reference

Port 6443 (TCP) – Kubernetes API server

Default secure port for the Kubernetes API server (kube-apiserver), the control plane for the cluster.

tcpRegisteredCommonly attacked

Default state

kube-apiserver serves HTTPS on 6443. Hardened clusters require authentication and RBAC, but misconfigured ones allow anonymous access or grant broad roles, exposing full control of the cluster.

Common attacks

  • Anonymous or over-permissive RBAC access leading to full cluster takeover
  • Reading Secrets, ConfigMaps, and credentials across all namespaces
  • Deploying malicious pods to run code on nodes and pivot internally
  • Pivoting to the exposed kubelet API on 10250 for node-level execution

Hardening

  • Disable anonymous auth and enforce least-privilege RBAC
  • Bind the API server to a private network; never expose 6443 to the internet
  • Require strong authentication (certificates/OIDC) and audit logging
  • Restrict the kubelet API (10250) and use NetworkPolicies
  • Keep Kubernetes patched and rotate credentials

nmap snippet

nmap -p6443 --script ssl-cert,http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 6443?

Port 6443 is the default secure port for the Kubernetes API server (kube-apiserver), the heart of the control plane. Every component — kubectl, controllers, kubelets, and operators — authenticates to the API server over HTTPS on 6443 to read and change cluster state. It is the single most sensitive endpoint in a Kubernetes cluster.

Why it matters for security

Whoever controls the API server controls the cluster. Hardened deployments require authentication and RBAC, but misconfigured clusters allow anonymous access or grant overly broad roles, letting anyone reaching 6443 read Secrets and credentials, deploy workloads, and execute on nodes. Combined with an exposed kubelet API on 10250, this leads to complete cluster and host takeover.

How it's attacked

Attackers scan for open 6443 and test for anonymous access or weak RBAC. With any foothold they dump Secrets and ConfigMaps across namespaces, harvest credentials, and deploy malicious pods to run code on nodes. From there they pivot to the kubelet API (10250) for node-level execution and move laterally through the cluster and connected cloud accounts.

Hardening checklist

Disable anonymous auth and enforce least-privilege RBAC, auditing role bindings. Bind the API server to a private network and keep 6443 off the public internet. Require strong authentication (client certificates or OIDC), enable audit logging, restrict the kubelet API (10250), and apply NetworkPolicies. Keep Kubernetes patched and rotate credentials. Use the nmap snippet above to check exposure on clusters you are authorized to test.

Related ports

Port 10250Port 2379Port 8443Port 9200

Frequently asked questions

Is it safe to expose the Kubernetes API server on port 6443?
No. If anonymous auth is enabled or RBAC is too broad, anyone reaching 6443 can take over the cluster. Disable anonymous access, enforce least-privilege RBAC, and keep the API server on a private network.
What happens if Kubernetes RBAC is misconfigured?
Over-permissive roles let attackers read Secrets, deploy pods, and execute on nodes — effectively full cluster compromise. Apply least privilege, audit bindings, and restrict the kubelet API on 10250.