The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.html\"><br \/>\n<meta property=\"og:title\" content=\"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters\"><br \/>\n<meta property=\"og:description\" content=\"While researching cloud-native tools, our Shodan scan revealed over 200,000 publicly exposed Kubernetes clusters and kubelet ports that can be abused by criminals.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/COVER-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters\"><br \/>\n<meta name=\"twitter:description\" content=\"While researching cloud-native tools, our Shodan scan revealed over 200,000 publicly exposed Kubernetes clusters and kubelet ports that can be abused by criminals.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/COVER-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.020909721534\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1975669612\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7574850299401\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.976047904192\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">While researching cloud-native tools, our Shodan scan revealed over 200,000 publicly exposed Kubernetes clusters and kubelet ports that can be abused by criminals.<\/p>\n<p class=\"article-details__author-by\">By: Magno Logan <time class=\"article-details__date\">May 24, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>While researching cloud-native tools and how they can reveal information about a system or an organization, we came across some data sets from Shodan concerning Kubernetes clusters (aka K8s). Specifically, we found 243,469 Kubernetes clusters publicly exposed and identified on Shodan. Furthermore, these clusters also exposed port 10250, which is used by kubelet by default.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-1-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\" alt=\"fig1-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 1. Top five countries with the highest number of exposed kubelet ports from the Shodan query <product:”Kubernetes” port:10250>; search performed on April 19, 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>This data is relatively new, and by analyzing the historical trend provided, we see that this data was added in July 2021, less than a year ago as of this writing. While using Shodan, we also identified the top 10 organizations hosting Kubernetes clusters and exposing the same kubelet port to the internet.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-2-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\" alt=\"fig2-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 2. Historical trend for the query <product:”Kubernetes” port:10250> using Shodan; search performed on April 19, 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-3-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\" alt=\"fig3-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 3. Top 14 organizations hosting Kubernetes clusters with the exposed kubelet port; search performed on April 19, 2022 via Shodan<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><span class=\"body-subhead-title\">The kubelet<\/span><br \/>The kubelet is the agent that runs on each node and ensures that all containers are running in a pod. It is also the agent responsible for any configuration changes on the nodes and has three main functions:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Helps nodes join the Kubernetes cluster<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Starts and manages the health of containers running on its node<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Keeps the control plane up to date on the node status and other information<br \/><\/span> <\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-4-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\" alt=\"fig4-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 4. The kubelet agent and how it works inside Kubernetes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.780064014632\">\n<div readability=\"36.018747142204\">\n<p>With this in mind, we are concerned with cybercriminal developments where attackers abuse the kubelet API as an entry point in targeting Kubernetes clusters to mine for cryptocurrency, as we <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html\">reported<\/a> last year. The method of abusing container administration services to execute commands inside is listed on the MITRE ATT&CK for containers as a technique \u2014 <a href=\"https:\/\/attack.mitre.org\/techniques\/T1609\/\">T1609 – Container Administration Command<\/a> \u2014 which we contributed to the knowledge base by sharing our research and data.<\/p>\n<p><span class=\"body-subhead-title\">The kubelet API<\/span><\/p>\n<p>The port 10250 is used by the kubelet API by default. It is open on all nodes of a cluster, including the API server control plane and worker nodes. Usually, this port is only exposed internally and is not accessible via external services. Requests to the kubelet\u2019s API endpoint, which are not blocked by other authentication methods, are treated as anonymous requests by default. The kubelet is undocumented and one of the API endpoints is the <i>\/runningpods<\/i>, which returns all pods running on the node that the kubelet is in. There is also the <i>\/run<\/i> endpoint, which allows the user to run commands directly on the pods. For more information on the kubelet API endpoints, we recommend looking at the open-source tool <a href=\"https:\/\/github.com\/cyberark\/kubeletctl\">kubeletctl<\/a>, as this helps query the kubelet API just like kubectl does for the Kubernetes API server.<\/p>\n<p><span class=\"body-subhead-title\">Analyzing data from Shodan<\/span><\/p>\n<p>After seeing this number of Kubernetes clusters with their kubelets exposed to the internet, we had two questions in mind: How many of those clusters are leaking cluster information via the kubelet, and how many of them might be vulnerable to attacks via the kubelet? We downloaded and triaged the data from Shodan to identify the clusters that would respond to anonymous requests to the kubelet API. With the IP address information provided and a simple script to make requests to the kubelet API, we were able to gather some interesting information from the exposed Kubernetes nodes and kubelets. Results from our analysis of over 240,000 exposed Kubernetes nodes showed that most of the clusters tested block anonymous requests by returning the HTTP \u201c401 Status Code \u2013 Unauthorized,\u201d or were unreachable during the time of our requests.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-5_landscape-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\" alt=\"fig5-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 5. Number of exposed kubelets and the respective responses<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>This is what you would probably see when accessing the API endpoint via the browser, and what might be considered normal behavior for accessing APIs with unauthenticated tokens:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-6-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.png\" alt=\"fig6-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 6. A kubelet API endpoint returning a 401 \u201cUnauthorized\u201d notification to anonymous requests<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<p>At first, this might appear as a good sign. However, if an attacker can compromise the kubelet authentication token, these clusters could be in danger. In addition, this information already means that there is a Kubernetes cluster running in that environment, which can lead to the attacker trying other K8s exploits and vulnerabilities to infiltrate the environment.<\/p>\n<p>Making a few hundred server queries didn\u2019t return any response either by timing out after 10 seconds or by refusing to connect on that port. We think this is reasonable given that these environments are ephemeral and nodes can be created or destroyed based on demand.<\/p>\n<p>We also noticed that almost 3,500 servers returned a \u201c403 \u2013 Forbidden\u201d notification instead of the more common 401 response. This means that the kubelet API allowed the unauthenticated request, but identified that we didn\u2019t have the proper permissions (authorization) to access that specific endpoint. And as we can see from the image below, it clearly states why it is blocking the anonymous request (<i>user=system:anonymous<\/i>) from getting information about the running pods (<i>verb=get, resource=nodes<\/i>).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-7-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.png\" alt=\"fig7-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 7. kubelet API endpoint returning a 403 notice to anonymous requests<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The last response, although on a lower number, was the \u201c200 \u2013 OK,\u201d meaning that some nodes running a kubelet responded with information regarding what pods were running on that node. This is a JSON response with information regarding the pod\u2019s name, namespace where it is running inside the cluster, as well as which containers are running inside each pod. One pod can have one or more containers running inside it. Here\u2019s an example of an exposed kubelet returning information about its running pods and containers: <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-8-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.png\" alt=\"fig8-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 8. An exposed kubelet returning data on the running pods on the node.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.074074074074\">\n<div readability=\"13.827160493827\">\n<p>We didn\u2019t try to execute commands on any of those pods that returned information from the kubelet API endpoint. But judging from their previous response, there is a high possibility that the requests to the <i>\/run<\/i> endpoint would also succeed. This means that an attacker would be able to install and run programs directly on those pods just by using the kubelet API. Again, this is like our documentation of what <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html\">TeamTNT<\/a> did to multiple clusters last year. Considering that this now from external requests, however, this can make things even easier for the attackers.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/figure-9-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.png\" alt=\"fig9-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\"><figcaption>Figure 9. An example of multiple run commands performed by cybercriminals such as TeamTNT to compromise K8s clusters via the kubelet API<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.28\">\n<div readability=\"28.502857142857\">\n<p><span class=\"body-subhead-title\">Protecting the kubelet<\/span><\/p>\n<p>While exposure of the kubelet has unfortunately become common as we have previously written about, this is one of the first few instances where we observed this many exposed nodes in one scan. In the wrong hands, these exposed nodes (kubelets) that list all the pods and respond with information on the endpoints (Response 200) can have permissions to deploy malicious pods such as cryptominers using the kubelet API. They can also deploy pods to steal secrets and credentials, and maybe even delete the entire node. For ethical reasons, we have chosen not to verify this.<\/p>\n<p>In particular, it is important to note here that since the organizations affected use the managed versions of Kubernetes, cloud service providers (CSPs) can improve their services to their customers by identifying and alerting their clients of their exposed and accessible kubelets. To prevent this issue from taking place in your cluster, it is important to keep in mind two critical factors for kubelet security settings: authentication and authorization.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Enabling Kubelet authentication. According to Kubernetes documentation, requests to the kubelet\u2019s API endpoint (which are not blocked by other authentication methods) are treated as anonymous requests by default. It\u2019s important to ensure that you start the kubelets with the <i><–anonymous-auth=false><\/i> flag and disable anonymous access. This will not only disable anonymous access but also send the \u201c401 \u2013 Unauthorized\u201d responses to any unauthenticated requests to the kubelet. For more information, check the Kubernetes official recommendations on <a href=\"https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kubelet-authentication-authorization\/#overview\">Kubelet authentication<\/a>.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Enabling Kubelet authorization.<\/b> Any successful request that is authenticated by the kubelet API is automatically authorized. This is because the default authorization mode is set to \u201cAlwaysAllow,\u201d which allows all requests to the API. By enabling authorization properly, users can specify which HTTP methods and endpoints are allowed access by different users or service accounts. If the user is not authorized to access that specific resource, they will receive a \u201c403 \u2013 Forbidden\u201d response. For more information, check the Kubernetes official recommendations on <a href=\"https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kubelet-authentication-authorization\/#kubelet-authorization\">Kubelet authorization<\/a>.<\/span><\/li>\n<\/ul>\n<p>With Kubernetes\u2019 popularity and adoption, users should remain vigilant about its security. More information about protecting your Kubernetes cluster can be found in our two-part article \u201cThe Basics of Keeping Kubernetes Cluster Secure\u201d (part 1 is <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/security-technology\/the-basics-of-keeping-your-kubernetes-cluster-secure-part-1\">here<\/a> and part 2 is <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/virtualization-and-cloud\/the-basics-of-keeping-kubernetes-cluster-secure-worker-nodes-and-related-components\">here<\/a>). We also recommend customizing security settings as a best practice to keep your kubelets protected and to mitigate against the impact of threats, as follows:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>Restrict kubelet permissions to prevent attackers from reading kubelet credentials after breaking out of the container to perform malicious actions.<\/li>\n<li><span class=\"rte-red-bullet\"><\/span>Rotate the kubelet certificates. In the instance of a compromise, the certificates will be short-lived and the potential impact to clusters will be reduced.<\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While researching cloud-native tools, our Shodan scan revealed over 200,000 publicly exposed Kubernetes clusters and kubelet ports that can be abused by criminals. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":46799,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9508,9536],"class_list":["post-46798","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-privacyrisks"],"yoast_head":"\n<title>The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-24T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/COVER-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters\",\"datePublished\":\"2022-05-24T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/\"},\"wordCount\":1566,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Privacy&Risks\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/\",\"name\":\"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\",\"datePublished\":\"2022-05-24T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg\",\"width\":1333,\"height\":829},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/","og_locale":"en_US","og_type":"article","og_title":"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-05-24T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/COVER-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters","datePublished":"2022-05-24T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/"},"wordCount":1566,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Privacy&Risks"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/","url":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/","name":"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg","datePublished":"2022-05-24T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.jpg","width":1333,"height":829},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46798"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46798\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46799"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":46798,"date":"2022-05-24T00:00:00","date_gmt":"2022-05-24T00:00:00","guid":{"rendered":"urn:uuid:35ab1a01-b8a6-3e5a-8886-28ca0795b8e7"},"modified":"2022-05-24T00:00:00","modified_gmt":"2022-05-24T00:00:00","slug":"the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters\/","title":{"rendered":"The Fault in Our kubelets: Analyzing the Security of Publicly Exposed Kubernetes Clusters"},"content":{"rendered":"