Back to all scenarios
Scenario #228
Security
K8s v1.21, AWS EKS

Exposed Kubelet API Without Authentication

The Kubelet API was exposed without proper authentication or authorization, allowing external users to query cluster node details.

Find this helpful?
What Happened

The Kubelet API was inadvertently exposed to the internet without authentication, making it possible for unauthorized users to access sensitive node information, such as pod logs and node status.

Diagnosis Steps
  • 1Checked Kubelet API configurations and confirmed that no authentication mechanisms (e.g., client certificates) were in place.
  • 2Verified that Kubelet was exposed via a public-facing load balancer without any IP whitelisting.
Root Cause

Lack of authentication and network restrictions for the Kubelet API exposed it to unauthorized access.

Fix/Workaround
• Restricted Kubelet API access to internal networks by updating security group rules.
• Enabled authentication and authorization for the Kubelet API using client certificates.
Lessons Learned

Always secure the Kubelet API with authentication and restrict access to trusted IPs or internal networks.

How to Avoid
  • 1Use network policies to block access to the Kubelet API from the public internet.
  • 2Enforce authentication on the Kubelet API using client certificates or other mechanisms.
Previous ScenarioNext Scenario