Port 10248: The Kubernetes Healthz Heartbeat

What This Port Does

Port 10248 carries HTTP requests to the kubelet's healthz endpoint. When a Kubernetes control plane or monitoring system needs to verify that a worker node is still running and responsive, it sends a request to http://localhost:10248/healthz.

The kubelet responds with a simple answer: healthy or not. That's it. No authentication required. Just the node's vital signs.

The Port Range It Occupies

10248 falls within the registered ports (1024-49151), the range assigned by IANA through formal request processes. But here's the thing: port 10248 has no official IANA assignment. Kubernetes simply claimed this port through convention, and the infrastructure world adopted it. Sometimes the Internet doesn't wait for formal permission.

What You'll Find Listening

On any running Kubernetes node, port 10248 is bound to localhost only—not exposed to the network. This is by design. Only local processes should check the node's health. You won't find this port open to the public Internet on a properly secured cluster.

What's listening:

• The kubelet — the Kubernetes node agent running on every worker node
• Health checkers: PingHealthz (basic connectivity), LogHealthz (logging system), and a sync loop health check that verifies the node's internal synchronization is working

Why Unassigned Ports Matter

Port 10248 is a quiet example of how the Internet actually works. IANA maintains a registry of "official" port assignments. Port 10248 was never formally assigned. But Kubernetes needed a place to ask nodes "are you alive?" and this number was available, so they used it.

This happens thousands of times across the Internet. Protocols don't always get formal blessing before they're born. Sometimes the engineers solving the problem just pick a port, and if it works and doesn't conflict with anything else, it stays. The formal registry catches up later, or sometimes never.

Unassigned ports are where innovation lives. They're where teams desperate to solve problems grab a number from the free pool and start building. They're proof that the Internet is not a pure top-down design, but a living system that grows from practical need.

How to Check What's Listening

On a Kubernetes node, check if the kubelet is healthy:

# Check local kubelet health
curl http://localhost:10248/healthz

# Returns "ok" if the node is healthy, error message otherwise

To see what's actually listening on the port:

# macOS
lsof -i :10248

# Linux
netstat -tuln | grep 10248
# or
ss -tuln | grep 10248

On most production clusters, nothing will respond on port 10248 from external networks. The kubelet explicitly binds to localhost only.

The Port in the Larger Kubernetes Architecture

Port 10248 is the small door. Port 10250 is the main kubelet API. But this health endpoint matters because:

• Control plane nodes check it to know if a worker is still functioning
• Load balancers can use it for readiness checks
• Monitoring systems scrape it to verify node health
• Self-healing mechanisms depend on it to detect dead nodes and restart pods elsewhere

A single endpoint. A single response. But it's what keeps Kubernetes clusters self-healing and resilient.

• Kubernetes Ports and Protocols Reference
• Kubernetes Security Fundamentals: API Security
• IANA Service Name and Transport Protocol Port Number Registry
• SpeedGuide Port 10248 Reference