Kubelet Read-Only
What is Port 10255?
Port 10255 is the Kubelet's read-only HTTP port in Kubernetes. This port provides unauthenticated access to node and pod information including running pods, resource usage, and spec data. The read-only port was designed for monitoring and debugging but has been deprecated in newer Kubernetes versions due to security concerns. When enabled, anyone who can reach port 10255 can enumerate all pods running on the node, their environment variables (potentially containing secrets), resource usage, and container configurations. This information is valuable for attackers performing reconnaissance in a Kubernetes environment.
Common Uses
- Legacy Kubernetes monitoring
- Node and pod information retrieval
- Container resource metrics
- Debugging Kubernetes node issues
Technical Details
Copy-paste commands to check port 10255 (Kubelet Read-Only) from your terminal
Test connectivity
nc -zv example.com 10255
curl -v --max-time 5 http://example.com:10255/
telnet example.com 10255
nmap -p 10255 -sV example.com
(echo > /dev/tcp/example.com/10255) 2>/dev/null && echo "open" || echo "closed"
Open port in firewall
sudo ufw allow 10255/tcp
sudo iptables -A INPUT -p tcp --dport 10255 -j ACCEPT
sudo firewall-cmd --permanent --add-port=10255/tcp && sudo firewall-cmd --reload
Security Considerations
Disable the read-only port (--read-only-port=0) in production. Use the authenticated Kubelet API on port 10250 instead. If monitoring requires node metrics, use the metrics server or Prometheus Node Exporter. The read-only port can leak sensitive information including environment variables and pod specifications.
Popular Ports Reference
The most commonly used and referenced network ports