Port 10255: Kubelet Read-Only — The Port Kubernetes Is Killing Off

What This Port Carries

Port 10255 is the insecure, unauthenticated read-only port on Kubernetes kubelet nodes.¹ If you can reach port 10255 on a Kubernetes node, you can query the kubelet API without providing credentials and read sensitive information about the cluster: container stats, environment variables, volume mounts, and pod configuration.

Port Range: Registered Ports (1024–49151)

Port 10255 lives in the registered port range.² These are ports assigned by IANA when organizations apply for official service designation. Officially, port 10255 has no assigned service in the IANA registry—it became a de facto standard through Kubernetes adoption, not through formal registration.

Why Kubelet Exposed This Port

Kubernetes had two ports on kubelet from the beginning:

Port 10250: Secured, requires authentication and HTTPS
Port 10255: Insecure, read-only, no authentication

The thinking was simple: separate concerns. Read operations don't need security. Write operations do. Let monitoring tools and dashboards hit port 10255. It seemed fine in 2014.

By 2024, this design choice looks reckless.

The Security Problem

Port 10255 allows unauthenticated access to:

Container runtime information
Pod specifications and environment variables
Resource usage metrics
Node configuration

An attacker with network access can enumerate your entire cluster, discover database credentials passed via environment variables, and identify high-value targets for compromise.³ They don't need to authenticate. They don't need a password. They just need to reach the port.

The Great Deprecation

Google is phasing port 10255 out entirely:

GKE Autopilot no longer enables it by default⁴
New clusters on GKE 1.32+ cannot enable it
Future GKE versions will remove the option altogether

Amazon EKS removed the port earlier. The industry consensus is clear: this was a mistake.

The recommended migration path is to move monitoring and dashboards to port 10250 (the authenticated HTTPS port) with proper credentials.

Checking What's Listening

To see if a Kubernetes node is exposing port 10255:

curl http://node-ip:10255/api/v1/nodes
curl http://node-ip:10255/stats/

Both will return data without authentication. If you get JSON back, your kubelet is exposing cluster internals to the network.

To find it across your infrastructure:

nmap -p 10255 network-range/24
shodan search "port:10255"

This is exactly why Shodan exists—to find machines making these kinds of mistakes.

Why Unassigned Ports Matter

Port 10255 shows what happens when a de facto standard emerges before formal governance catches up. Kubernetes became essential infrastructure, and port 10255 rode with it, never getting an IANA registration because by the time anyone thought to formalize it, the entire industry was already scrambling to get rid of it.

The lesson: ports without formal assignment can become industry standards anyway. And when they do, and they contain security flaws, the only remedy is complete deprecation.