MEDIUM
Source
Kube Hunter
ID
KHV052

Exposed Pods

An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)

Ensure kubelet is protected using --anonymous-auth=false kubelet flag. Allow only legitimate users using --client-ca-file or --authentication-token-webhook kubelet flags. This is usually done by the installer or cloud proider.

Disable the readonly port by using --read-only-port=0 kubelet flag.