What Is kubelet Security? Security Definition
Also known as: kubelet security, Kubernetes node hardening, CKS exam kubelet, kubelet authentication, kubelet authorization
On This Page
Quick Definition
The kubelet is like a manager on each worker machine in a Kubernetes cluster. It makes sure containers are running correctly and reports back to the control plane. Securing the kubelet means locking down that manager so nobody else can tamper with it, change what runs on the node, or spy on your containers.
Must Know for Exams
In the CNCF CKS (Certified Kubernetes Security Specialist) exam, kubelet security appears as a core domain objective under Cluster Setup and Hardening. The CKS exam blueprint explicitly lists tasks such as configuring the kubelet to use TLS authentication, enabling the Node authorizer and NodeRestriction admission plugin, and disabling the kubelet's read-only port. Multiple-choice questions often present scenarios where a cluster has compromised nodes, and you must identify which misconfiguration allowed the attack. Performance-based tasks (the hands-on part of the exam) may ask you to inspect a node’s kubelet configuration file, find security weaknesses, and fix them by editing the kubelet config and restarting the service.
The CKS exam also tests your understanding of kubelet authorization modes. A typical question might show a SubjectAccessReview log and ask you to explain why a request was denied or allowed. You must know the difference between AlwaysAllow, AlwaysDeny, and Webhook modes, and when to use each. Another common question type involves kubelet anonymous authentication. The exam expects you to know that setting --anonymous-auth=false prevents unauthenticated requests from reaching the kubelet API. Questions about kubelet certificate rotation and the --rotate-certificates flag also appear frequently.
The CKS is not the only exam that covers this topic. The CKA (Certified Kubernetes Administrator) exam includes general kubelet operations like checking node status, but security is not a major focus. However, for the CKS, you must be comfortable with the exact configuration files, command flags, and how to test your changes using tools like curl to the kubelet API and kubectl auth can-i. The exam environment simulates real clusters, and you will be evaluated on your ability to secure a kubelet without breaking existing workloads. Therefore, knowing the step-by-step process for hardening a kubelet is crucial for passing the CKS on the first attempt.
Simple Meaning
Imagine a large apartment building with many individual apartments (containers). Each floor has a building manager (the kubelet). This manager's job is to make sure every apartment on that floor is clean, secure, and has working utilities.
The manager also reports to the central building office (the Kubernetes control plane) about the status of each apartment. Now, what if someone breaks into the manager's office on the third floor? That intruder could turn off water to certain apartments, change the locks, or even let strangers into empty units.
That is exactly what happens when a kubelet is not secured. An attacker who gains control of a kubelet can run malicious containers, steal data from running applications, or even disable the node entirely. The kubelet has a special API (a communication channel) that the control plane uses to give it orders.
If that API is left open to the network without authentication or encryption, anyone with network access could send commands to the kubelet. Think of it like a walkie-talkie channel that every security guard in the building uses. If that channel is not encrypted, anyone with a similar radio can listen in and give fake orders.
Securing the kubelet involves three main things: first, making sure only the control plane can talk to it by using TLS certificates (like showing a special ID badge). Second, limiting what the kubelet is allowed to do on the node through authorization policies (like giving the manager a list of tasks he is permitted to do). Third, turning off or restricting the kubelet's read-write API endpoints that are not strictly needed.
In the Certified Kubernetes Security Specialist (CKS) exam, you must know how to configure these protections. This includes enabling kubelet authentication and authorization, using the NodeRestriction admission plugin, and setting up the kubelet to read from a read-only port for metrics while keeping the secure port for administrative commands. Without these steps, a compromised kubelet can be the beachhead for a full cluster takeover.
Full Technical Definition
The kubelet is the primary node agent that runs on every node in a Kubernetes cluster. It registers the node with the API server, watches for Pod specs assigned to its node, and ensures the containers described in those Pod specs are running and healthy. To perform these tasks, the kubelet exposes an API on two ports: a read-only port (usually 10255) that serves non-sensitive data like metrics and health status, and a secure port (usually 10250) that requires authentication and authorization for all operations. Kubelet security focuses on hardening this API surface.
Kubelet authentication is typically handled by TLS client certificates. When the kubelet connects to the API server, it presents a certificate signed by the cluster's certificate authority (CA). Conversely, when the API server or a user (via kubectl) connects to the kubelet, the kubelet can request a client certificate. By default, the kubelet uses TLS bootstraping to automatically generate and sign certificates. However, for production security, operators often pre-provision certificates or use a dedicated CA for node certificates. The Kubernetes API server authenticates to the kubelet using the --kubelet-client-certificate and --kubelet-client-key flags.
Kubelet authorization is governed by the --authorization-mode flag. The recommended mode is Webhook, which delegates authorization decisions to the API server. When the API server receives a request, it makes a SubjectAccessReview (SAR) to determine if the requester (e.g., a user, a service account) has permission to perform the action on the kubelet's resources. Common kubelet authorization modes include AlwaysAllow (insecure, used only for testing), AlwaysDeny (too restrictive), and Webhook (the production standard). The Node authorizer and NodeRestriction admission plugin work together with the kubelet to ensure that a kubelet can only modify its own node and the Pods running on it.
Additional security measures include disabling the read-only port entirely by setting --read-only-port=0, enabling anonymous authentication (which should generally be disabled by setting --anonymous-auth=false), and configuring the kubelet to use a secure kubeconfig file with explicit credentials. The --authentication-token-webhook flag allows the kubelet to validate bearer tokens from the API server. In CKS-focused environments, you must also know how to use the --protect-kernel-defaults flag to enforce sysctl security settings, and how to configure the kubelet to use a read-only filesystem for its static pod manifests. All of these configurations are set in the kubelet configuration file (usually /var/lib/kubelet/config.yaml) or via command-line flags. Security audits and CIS benchmarks for Kubernetes specifically check that the kubelet is configured with authentication, authorization, and that the read-only port is closed.
Real-Life Example
Think of a large government office building with many departments. Each department (container) has its own secure area. The building maintenance manager (kubelet) is responsible for each floor. The manager has a master key that opens every door on his floor, can control HVAC (heating, ventilation, air conditioning) for each room, and can speak directly to the building's main security office (the control plane) via a special radio. Now, this manager's radio has two channels. One channel is for listening to routine announcements like weather updates or time checks. This channel is not encrypted. Anyone with a simple radio scanner can hear these announcements. The other channel is for sending commands and receiving sensitive reports. This channel requires the manager to present a special badge (TLS certificate) before speaking, and every command is logged.
If the building management does not secure the manager, a bad actor could walk into the manager's office and use the unencrypted channel to listen to reports about which departments are locked or empty. Worse, that actor could pretend to be the main security office and give the manager fake orders, like opening the door to a classified department. To prevent this, the building enforces these rules. First, the manager's radio is programmed to only accept commands that come with a valid digital signature from the main security office (authentication). Second, the manager is given a strict list of actions he is allowed to take. For example, he can only change air conditioning settings for his own floor, not for other floors (authorization). Third, the unencrypted listening channel is turned off entirely so nobody can eavesdrop. The main security office also keeps a log of every command the manager executes. If the manager tries to act on an order that did not come from the main office, the system rejects it. This real-life example maps directly to kubelet security. The kubelet’s read-only port (10255) is the unencrypted channel that should be disabled. The secure port (10250) is the encrypted command channel that requires TLS certificates. The authorization webhook is the list of allowed actions. And the monitored logs are the audit logs every cluster administrator should review.
Why This Term Matters
In real IT work, especially in production Kubernetes clusters, the kubelet is one of the most exposed components. Unlike the API server which is usually behind multiple layers of authentication and network policies, the kubelet often runs on worker nodes that may be in less controlled network segments, such as public cloud subnets or edge locations. If the kubelet is compromised, an attacker can effectively take over that node. They can deploy new containers with elevated privileges, mount host paths to read sensitive files, or use the node's network to launch further attacks against internal services. For security engineers and platform teams, kubelet security is a high priority because it prevents lateral movement. If a developer's container is compromised, the attacker might try to reach the kubelet API. If the kubelet is not secured, the attacker can use the kubelet to run a privileged Pod that breaks out of container isolation, gaining root access on the host node. That one compromised node can then be used to attack other nodes or access the cluster's internal databases.
From a compliance perspective, regulations like PCI-DSS, HIPAA, and SOC 2 require that all components in a data processing environment are hardened. The kubelet is explicitly listed in the CIS Benchmark for Kubernetes, which provides dozens of checks related to its authentication, authorization, and encryption settings. A failure to secure the kubelet can lead to audit findings and, in worst cases, data breaches. For cluster administrators, daily tasks like monitoring node health, draining nodes, and upgrading kubelet versions all depend on a trust relationship between the control plane and the kubelet. If that trust is broken due to misconfiguration, routine operations fail, causing downtime.
Moreover, cloud managed services like EKS, AKS, and GKE handle some kubelet security automatically, but not all. For instance, while cloud providers enforce TLS on the kubelet port, they often leave the authorization mode as AlwaysAllow in some configurations, unless the customer configures a custom kubelet config. This means security-conscious teams must still verify and harden kubelet settings in managed clusters. In short, ignoring kubelet security is like leaving the back door of a bank vault unlocked, because the vault door (the API server) is well guarded.
How It Appears in Exam Questions
Kubelet security appears in multiple question formats across the CKS exam. First, scenario-based multiple-choice questions describe a cluster that was breached, and you must identify the misconfigured kubelet setting. For example, a question might state that an attacker was able to query all Pods running on a worker node using only a network scan tool. The correct answer would point out that the kubelet was running with --read-only-port enabled, allowing unauthenticated access to Pod information. Another common scenario involves a malicious Pod that accessed the kubelet API and deployed additional containers. The question asks which configuration would have prevented this. The answer involves setting authorization-mode to Webhook and enabling NodeRestriction.
Second, troubleshooting questions present a kubelet that is failing to start or failing to register with the API server. You are given logs or configuration snippets. You must identify that the TLS certificate file path is incorrect, or that the kubelet is using an expired CA certificate. Some questions include a misconfigured kubelet config where authentication-token-webhook is set to false, causing the kubelet to reject valid API server requests. These questions test your ability to read configuration files and understand the impact of each flag.
Third, performance-based exam tasks require you to directly edit configuration files. You may be asked to SSH into a worker node, inspect the kubelet config at /var/lib/kubelet/config.yaml, and make changes. For instance, you might be told to disable anonymous authentication, turn off the read-only port, and enable the webhook authorization mode. You then need to restart the kubelet and verify that unauthenticated curl requests to the secure port are rejected. Another task may ask you to configure the kubelet to use a specific kubeconfig file with TLS client credentials.
Fourth, architecture questions may ask you to describe the flow of a kubectl exec command. You must explain that the API server authenticates the user, then forwards the request to the kubelet on the secure port, and the kubelet authorizes the request using its configured mode. Understanding this flow is essential to answer questions about why exec or logs commands fail. Finally, some questions test your knowledge of the Node authorizer and NodeRestriction plugin, asking what a kubelet is allowed to do under those restrictions. These questions often appear in a true/false or matching format within the exam's multiple-choice section.
Study cncf-cks
Test your understanding with exam-style practice questions.
Example Scenario
A company runs a microservices application on a Kubernetes cluster with 20 worker nodes. The security team notices that a developer accidentally included a debugging container in a production namespace. That container has a network tool that can reach any IP in the cluster.
The developer quickly deletes the container, but the security team wants to verify if the container could have accessed the kubelet API. They scan node 5 and find that the kubelet port 10250 is open and responds to unauthenticated requests. They use a simple curl command to the kubelet and retrieve a list of all Pods running on that node, including Pods in the kube-system namespace.
This is a serious breach of isolation. The security team immediately updates the kubelet configuration on all nodes. They set --anonymous-auth=false, --read-only-port=0, and --authorization-mode=Webhook.
After restarting the kubelets, they confirm that unauthenticated curl requests are now rejected with a 401 Unauthorized error. The node is now protected even if a container is compromised again.
Common Mistakes
Thinking that disabling the read-only port is optional and that leaving it open only exposes non-sensitive data.
The read-only port exposes pod and node metadata, which can be used by attackers to map the cluster and identify high-value targets like etcd or ingress controllers. This data is sensitive for security posture.
Always set --read-only-port=0 in the kubelet configuration for all production nodes. Verify by running netstat -tulpn | grep kubelet and ensuring only port 10250 is listening.
Assuming that using a cloud-managed Kubernetes service (EKS, AKS, GKE) automatically secures the kubelet completely.
Cloud providers secure the kubelet TLS and some defaults, but authorization mode may remain AlwaysAllow unless the user explicitly configures a custom kubelet config with the Webhook mode.
Inspect the kubelet configuration on managed nodes using the cloud provider's node SSH or system tools. Set authorization-mode to Webhook and verify using kubectl auth can-i.
Believing that kubelet authorization is unnecessary because the API server already authenticates users.
Authorization is separate from authentication. Even authenticated users or components must be explicitly authorized to access kubelet resources. Without proper authorization, any authenticated service account or user could exec into any pod.
Enable the Webhook authorization mode on the kubelet. This makes the kubelet consult the API server for each authorization decision, ensuring the same RBAC rules apply.
Configuring the kubelet with a static token or password in the kubeconfig file without TLS certificate verification.
Static tokens can be leaked through logs, config maps, or version control. TLS client certificates are the secure standard because they can be rotated and are tied to the node's identity.
Use TLS bootstrap or pre-provisioned client certificates for kubelet authentication. Regularly rotate certificates using the --rotate-certificates flag.
Ignoring the NodeRestriction admission plugin and thinking the kubelet can label its own node freely.
Without NodeRestriction, a compromised kubelet can add labels that affect scheduling, potentially moving sensitive workloads onto its node, or even evict pods from other nodes.
Enable the NodeRestriction admission plugin by adding it to the --enable-admission-plugins flag on the API server. Test by attempting to modify node labels from a pod.
Exam Trap — Don't Get Fooled
An exam scenario shows a kubelet configuration with --anonymous-auth=false but --authorization-mode=AlwaysAllow. The question asks if this configuration is secure enough for production. Remember that authentication and authorization are separate layers.
Disabling anonymous auth only prevents unauthenticated access. Authorization mode must be set to Webhook (or at minimum ABAC) to enforce fine-grained permissions. For the exam, always pair anonymous-auth=false with authorization-mode=Webhook.
Commonly Confused With
The kube-apiserver is the central control plane component that handles all REST commands. Its security focuses on user authentication via OIDC, RBAC, and admission controllers. Kubelet security is about the agent on each worker node. While the API server can be hardened with network policies, the kubelet must be hardened by restricting its own API endpoints.
If the API server is your castle gate where everyone enters, the kubelet is a secret passage behind the castle that only the king's messenger should use. Securing the gate (API server) does not automatically lock the secret passage (kubelet).
The controller manager runs control loops and has its own set of flags for TLS and authorization. It does not expose a direct API to nodes. Kubelet security is fundamentally different because the kubelet has an API that pods on the same node can try to access.
The controller manager is like a head office that sends managers to check on departments. The kubelet is the local manager on each floor. You would not apply the same security rules to the head office phone line as to the local manager's radio.
CNI (Container Network Interface) plugins handle networking inside the cluster. They are separate from the kubelet and are responsible for IP management and network policies. Kubelet security is about the node agent itself, not the network layer.
e kubelet is like the building manager, while the CNI is like the building's wiring and internet cables. Even if the wiring is secure (CNI), you still need to lock the manager's office (kubelet).
etcd stores all cluster state and is encrypted at rest and in transit. Kubelet security deals with runtime operations on nodes. A breach of etcd is catastrophic, but a kubelet breach can lead to host compromise and then etcd access through compromised service accounts.
etcd is the bank's main vault where all money records are stored. The kubelet is the individual bank teller's drawer. You need both locked, but a teller's drawer being open can let a thief access the vault key.
Step-by-Step Breakdown
Disable anonymous authentication
Set --anonymous-auth=false in the kubelet configuration or kubelet command-line flags. This ensures that any request to the kubelet API without a valid client certificate is immediately rejected with a 401 error. This is the first line of defense.
Close the read-only port
Set --read-only-port=0. This prevents anyone from accessing the unauthenticated endpoint that exposes pod and node metadata. The kubelet will no longer listen on port 10255. Verify by checking listening ports on the node.
Enable webhook authorization mode
Set --authorization-mode=Webhook. This makes the kubelet send every authorization request to the API server via SubjectAccessReview. This ensures that only users and service accounts with explicit RBAC permissions can access kubelet operations like pod exec, logs, or attach.
Configure TLS client certificates for the API server to kubelet communication
On the API server, set --kubelet-client-certificate and --kubelet-client-key to a certificate/key pair signed by the cluster CA. The kubelet itself must have a serving certificate. This encrypts and authenticates all communication between the control plane and the kubelet.
Enable the Node authorizer and NodeRestriction admission plugin
Add Node and NodeRestriction to the API server's --authorization-mode and --enable-admission-plugins flags. The Node authorizer gives the kubelet limited permissions to read its own node and modify only its own pods. NodeRestriction prevents the kubelet from adding arbitrary labels to its node.
Configure the kubelet to use a dedicated kubeconfig with rotating certificates
Provide the kubelet with a kubeconfig file that uses a bootstrap token or a client certificate. Enable the --rotate-certificates flag so the kubelet automatically requests new certificates before expiry. This reduces manual certificate management and ensures continuous secure communication.
Verify and monitor kubelet security settings
After configuration, test with curl to the secure port (e.g., curl -k https://node-ip:10250/pods) without authentication to confirm rejection. Use kubectl auth can-i to verify that a specific user (like system:admin) can exec into pods. Enable audit logging on the kubelet to track all API requests.
Practical Mini-Lesson
Securing the kubelet in a real Kubernetes environment requires both configuration changes and ongoing monitoring. Start by understanding the kubelet configuration file, which by default is located at /var/lib/kubelet/config.yaml on most Linux distributions. Within that file, you set fields like authentication.anonymous.enabled to false, authentication.webhook.enabled to true, authorization.mode to Webhook, and readOnlyPort to 0. These four changes alone eliminate the most common attack vectors.
Next, you must ensure that the API server is also configured correctly. The API server's --kubelet-client-certificate and --kubelet-client-key must be set to a valid certificate pair. Without these, the API server will use a default, unauthenticated connection to the kubelet. This is a common misconfiguration in self-managed clusters. On the API server side, you must also enable the Node and NodeRestriction authorizers. If you are running a managed Kubernetes service, you may need to use a custom kubelet configuration via the cloud provider's node configuration tools. For example, in EKS, you create a custom AMI or use a node group with a custom kubelet extra args field.
What can go wrong? The most frequent issues include restarting the kubelet with invalid flags, causing the node to become NotReady, or accidentally locking yourself out. To avoid this, always make one change at a time and test. Use a test node in a non-production pool first. Also, be aware that the kubelet uses certificates that must match the node's hostname or IP. If you change the node's hostname or IP, the kubelet's TLS handshake may fail. Plan for certificate rotation as part of your routine cluster upgrades.
In practice, security professionals pair kubelet hardening with network policies that restrict pod-to-pod traffic, but the kubelet itself must be hardened regardless of network segmentation because a pod can still reach the kubelet via localhost if it runs on the same node. The kubelet should never rely solely on network controls for security. This lesson connects to the broader concept of defense in depth. Even if the API server is perfectly hardened, a single misconfigured kubelet can be the weak link that allows an attacker to pivot into the cluster. Therefore, treat kubelet security as a non-negotiable part of any Kubernetes security baseline.
Memory Tip
Remember the three locks of kubelet security: Anonymous off, read-only port zero, webhook for authority. Lock every door the kubelet opens.
Covered in These Exams
Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the default kubelet authentication mode?
The default authentication mode for the kubelet allows anonymous access and does not enforce TLS client certificates. This is why manual hardening is essential for production clusters.
How do I test if my kubelet is secure?
Run curl -k https://<node-ip>:10250/pods without any certificate. If you get a 401 Unauthorized, anonymous authentication is disabled. Then, run the same command with a valid client certificate and check if authorization is enforced.
Can kubelet security be bypassed using a privileged container?
A privileged container can escape to the host and then directly interact with the kubelet's underlying socket or processes, bypassing the kubelet API. That is why you must also use Pod Security Standards to prevent privileged containers.
Does disabling the read-only port affect monitoring tools?
Most monitoring tools (Prometheus, Datadog) can scrape metrics from the kubelet's secure port (10250) using service account tokens and TLS. Disabling the read-only port only affects unauthenticated access; authenticated access to metrics still works.
What is the difference between kubelet authentication and authorization?
Authentication confirms who is making the request (e.g., via TLS certificate). Authorization determines if that entity is allowed to perform the requested action (e.g., only the API server can list pods). Both must be enforced for security.
Should I configure kubelet security on every node individually?
Ideally, you configure kubelet security via a shared configuration file or a ConfigMap that is used by all nodes. In self-managed clusters, use a kubelet config file in /var/lib/kubelet/config.yaml. In cloud environments, use node group configurations.
How does kubelet rotation of certificates work?
The kubelet can automatically request new certificates from the Kubernetes API server's certificate signing API using the --rotate-certificates flag. This ensures certificates are renewed before expiry without manual intervention.
Summary
Kubelet security is a critical foundation of any hardened Kubernetes cluster. The kubelet, as the node-level agent, has direct access to the container runtime and the host operating system. Leaving it unsecured effectively gives any attacker who reaches a node the keys to the entire machine.
The core principles involve disabling anonymous authentication, closing the read-only port, enabling webhook-based authorization, and using TLS certificates for all communication. These measures align with the CIS Benchmark for Kubernetes and are explicitly tested in the CKS certification exam. For certification candidates, mastering the exact configuration flags and understanding the interplay between the kubelet, API server, and authorization plugins is essential.
In production, these configurations prevent lateral movement and data exfiltration, making them a non-negotiable part of any security team's playbook. Always verify your configuration with manual testing and automated scanning, and remember that a secure kubelet is the silent guardian of every node in your cluster.