An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)
Ensure kubelet is protected using --anonymous-auth=false kubelet flag. Allow only legitimate users using --client-ca-file or --authentication-token-webhook kubelet flags. This is usually done by the installer or cloud proider.
Disable the readonly port by using --read-only-port=0 kubelet flag.