Kubelet API
What is Port 10250?
Port 10250 is the default port for the Kubelet API, the primary node agent in Kubernetes. The Kubelet runs on every node in a Kubernetes cluster and is responsible for managing pods, containers, and node resources. The API on port 10250 provides endpoints for pod lifecycle management, container log access, exec into containers, and node resource metrics. The Kubernetes API server communicates with Kubelets on this port to execute commands, fetch logs, and manage workloads. The Kubelet also serves a read-only HTTP port on 10255 (deprecated) and a healthz endpoint. Proper Kubelet security is critical because it provides direct access to containers and node resources.
Common Uses
- Kubernetes API server to Kubelet communication
- Container log retrieval and exec operations
- Pod management and lifecycle operations
- Node resource and metrics reporting
Technical Details
Copy-paste commands to check port 10250 (Kubelet API) from your terminal
Test connectivity
nc -zv example.com 10250
curl -v --max-time 5 http://example.com:10250/
telnet example.com 10250
nmap -p 10250 -sV example.com
(echo > /dev/tcp/example.com/10250) 2>/dev/null && echo "open" || echo "closed"
Open port in firewall
sudo ufw allow 10250/tcp
sudo iptables -A INPUT -p tcp --dport 10250 -j ACCEPT
sudo firewall-cmd --permanent --add-port=10250/tcp && sudo firewall-cmd --reload
Security Considerations
The Kubelet API must require authentication and authorization. Enable the --anonymous-auth=false flag and use webhook or certificate-based authentication. Restrict access to the Kubernetes API server and monitoring systems. An unauthenticated Kubelet API allows attackers to exec into any container, read secrets, and potentially escape to the host. Regular security audits should verify Kubelet configuration.
Popular Ports Reference
The most commonly used and referenced network ports