Kubelet Security

The kubelet runs on every node in your cluster. It accepts API requests that can exec into containers, stream logs, read pod specs, and pull metrics. If an attacker reaches the kubelet API, they own the node and every workload on it.

The KCSA exam devotes 22% to Cluster Component Security, and the kubelet is the centerpiece. This article covers its API surface, authentication and authorization modes, the read-only port problem, and how TLS bootstrapping keeps node communications trustworthy.