An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)
Ensure kubelet is protected using
--anonymous-auth=false kubelet flag. Allow only legitimate users using
--authentication-token-webhook kubelet flags. This is usually done by the installer or cloud provider.
Disable the readonly port by using
--read-only-port=0 kubelet flag.