Port 10249: Kube-Proxy Metrics — The Exposed Heartbeat

What This Port Does

Port 10249 is the default metrics and health check port for kube-proxy, the networking component that runs on every Kubernetes worker node. It's not assigned through official IANA channels—it simply became the de facto standard in the Kubernetes ecosystem, and now it's everywhere.

When you run a Kubernetes cluster, kube-proxy is there on every node doing the translation work: taking traffic meant for a service and routing it to the actual pod behind it. Port 10249 is where kube-proxy broadcasts what it's doing. ¹

The Port Range It Lives In

Port 10249 sits in the registered ports range (1024–49151). This is the bandwidth IANA reserves for applications that request a port assignment. The difference between a "well-known" port (0–1023) and a registered port is legitimacy: one is officially blessed, the other is "we asked and got permission."

But here's the thing: kube-proxy never formally registered port 10249 with IANA. It just picked it, the Kubernetes community adopted it, and now it's standard. This is how standards sometimes actually form—not through RFC committees, but through something so useful that everyone copies it. ²

What Metrics Flow Through Here

Kube-proxy exposes Prometheus metrics on port 10249. These metrics tell you:

• Whether kube-proxy is healthy
• How many proxied connections are active
• What proxy mode the node is running (iptables, IPVS, etc.)
• Performance statistics and error counts

The /metrics endpoint and /proxyMode endpoint are there for observability. The problem: they're accessible without authentication. ³

Why This Matters for Security

In a properly configured cluster, port 10249 is supposed to be internal—only reachable from within the cluster or from monitoring systems you control. But misconfigured clusters, clusters exposed to untrusted networks, or cloud environments with loose security groups can leave port 10249 open. ⁴

An attacker who can reach this port learns:

• Whether kube-proxy is even running
• What networking mode the cluster uses
• Connection patterns and load information
• The existence and health of services

Not catastrophic, but it's information. And more importantly, it's a symptom: if port 10249 is exposed, what else is?

How to Check What's Listening

# On a Linux node with kube-proxy running:
netstat -tlnp | grep 10249

# Or with ss:
ss -tlnp | grep 10249

# Check the actual Prometheus metrics:
curl http://localhost:10249/metrics

On a Kubernetes cluster:

# Check if the metrics endpoint is responding:
kubectl port-forward -n kube-system daemonset/kube-proxy 10249:10249
curl http://localhost:10249/metrics

Related Ports in the Kubernetes Range

Kube-proxy isn't alone. The 10249–10259 range is Kubernetes infrastructure:

• 10250: kubelet API (also dangerous when exposed)
• 10251: kube-scheduler metrics
• 10252: kube-controller-manager metrics

These ports form the shadow network of Kubernetes—the internal nervous system that orchestrates everything. Most should never be on the public Internet. ⁵

Why Unassigned Ports Matter

Port 10249 is a reminder that the port number system works because communities respect boundaries, not because IANA enforces them. Kube-proxy could have used any port. It chose 10249, documented it, and the entire Kubernetes ecosystem standardized on it. That's power.

The real danger isn't that port 10249 is unassigned. It's that it became a default without security hardening, and now it's the implicit assumption of every cluster operator that this port won't be exposed. When assumptions become infrastructure, exposure becomes inevitable somewhere.